Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
3
Replies

Change Home Router by ASA in FTTH failed

sertorivs
Level 1
Level 1

‎03-08-2017 08:51 AM - edited ‎03-12-2019 02:01 AM

Hi team

I want change a Soho-Home Router from FTTH line for a classic ASA5506 but I have a problem, I support several ipsec tunnels to a third party firewall and crossing the soho router.

This router is configured by redirect internet traffic to a dmz server (fw ip address), the provider uses a FTTH line with pppoe on vlan 6 tag.

When I change the Sohjo Router for an ASA5506 firewall and configured as below on image, the ipsec tunnels don´t function properly. I´m desesperated because a SOHO router functions but asa can´t do it. What´s the issue? Is a NAT question? how´s the way to redirecting internet traffic to dmz server in ASA config?.

The rest of traffic is correct, Think that vlan6 pppoe and vpdn functions properly

Regards

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎03-08-2017 02:37 PM

You have only posted your ppoe configuration and NAT.  Just an FYI the any to outside dynamic NAT statement is not used and can be removed. You can check this by using the command show nat object obj_any details and see if there are any hits.

If you are able to get to the internet via the ASA5506 then, assuming your VPN configuration is correct, it is possible that you have not allowed port UDP/500 and UDP/4500 from the outside interface to the inside interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

sertorivs
Level 1
Level 1
In response to Marius Gunnerud

‎03-17-2017 05:56 AM

Sorry, problem follows, not function properly, in this case we have changed the asa configuration as below linmes but problem follows...What can we do?

object network thirdparty
host 192.168.200.2
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list ASA extended permit udp any object thirdparty eq isakmp log
access-list ASA extended permit udp any object thirdparty eq 4500 log

access-group ASA in interface global

object network thirdparty
nat (inside,global) static <public IP address>
!
nat (inside,global) after-auto source dynamic any interface

0 Helpful

Marius Gunnerud
VIP
VIP
In response to sertorivs

‎03-29-2017 03:21 AM

Have you checked what the syslog is saying?  It is also possible that you need to open for ESP protocol and AH protocol.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card