Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing between 2 VLANs ASA 5505 with site-to-site VPN already configured

I inherited an ASA 5505 which is already connecting to the Internet. There is also a sit-to-site VPN up and running between me and another ASA 5505 in the UK.

I need to connect my current inside network to another internal network on a different subnet. I've tried different suggestions that I've come across in the forums but none have worked. I may very well be doing something wrong but I have to wonder if the site-to-site VPN is somehow making my configuration requirements more complex then if it wasn't configured?

My OUTSIDE interface connect to a cable modem.

My INSIDE interface connects to a network of 192.168.2.0/24

My IPC_PHONE interface connects to a network of 192.168.4.0/27

I have security plus license.

All I really need is to hit one specific machine ( 192.168.4.8 ) on the IPC_PHONE network from my INSIDE network.

My understanding is that I need NAT rules but nothing I've tried seems to work.

I'm new at this and use ASDM for config although the CLI would be fine if I needed to use that.

I'm attaching the current router config - there are entries I know I no longer need that were prior to configuring the local VPN access I just haven't removed them yet. I don't think they should affect my problem though.

I have tried over and over with advice from these forums and can't seem to make any headway.

Can anyone point me in the right direction?

Thank You

 

Chip Pursell

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

 Hello Chip,Could you run a

 

Hello Chip,

Could you run a packet tracer on the command line in the following way:

packet-tracer input inside tcp 192.168.2.25 2525 192.168.4.8 80

Go ahead and change the actual source ip from the 192.168.2.0 network.

Create the object networks for both ip addresses you can either use the ip or a name:

object network obj-192.168.2.0

subnet 192.168.2.0

object network 192.168.4.8

host 192.168.4.8

You can try the following nat:

nat (inside,IPC_PHONE) source dynamic 192.168.2.0 interface destination static 192.168.4.8 192.168.4.8 

This way you will make sure it will only work when going to this destination and wont affect the vpn traffic is you are concerned about that.

If this works for you can either do it for one computer, a group of ips or the whole subnet.

 

 

2 REPLIES
New Member

 Hello Chip,Could you run a

 

Hello Chip,

Could you run a packet tracer on the command line in the following way:

packet-tracer input inside tcp 192.168.2.25 2525 192.168.4.8 80

Go ahead and change the actual source ip from the 192.168.2.0 network.

Create the object networks for both ip addresses you can either use the ip or a name:

object network obj-192.168.2.0

subnet 192.168.2.0

object network 192.168.4.8

host 192.168.4.8

You can try the following nat:

nat (inside,IPC_PHONE) source dynamic 192.168.2.0 interface destination static 192.168.4.8 192.168.4.8 

This way you will make sure it will only work when going to this destination and wont affect the vpn traffic is you are concerned about that.

If this works for you can either do it for one computer, a group of ips or the whole subnet.

 

 

New Member

That was it! You F-in rock. I

That was it! You F-in rock. I can't even begin to tell you how happy this makes me.

If you're ever in NYC I owe you a beer ( at least ).

 

Thanks again

 

438
Views
0
Helpful
2
Replies