we have a remote site with 1 asa 5005 and 1 pix 501.
the pix 501 has 2 existing vpn tunnels to networks 192.168.42.0/24 and to 192.168.48.0/24.
the asa has another tunnel (easy vpn) to 192.168.1.0/24
I added an inside route on the asa to .48 and .42 networks to the inside of the pix 501 and i allowed traffic out of the same interface to be able to use the asa as a router.
The asa is the default router of the network.
When i try to ping a host on the 42 network from a workstation i get this error
portmap translation creation failed for tcp src inside:192.168.16.38/2111 dst inside:192.168.48.209/111
I think its because the asa wants to nat this traffic, so i tried to add a rule that traffic from .16 to .42 doesn?t need natting. The asa doesn?t accept this setting ( error: policy natting not possible when easy vpn client enabled)
Can somebody help me out with this please?
The ASA it not a router. The ASA by default don't traffic to go out of the same interface it came. I'm not sure if you use the same-security-level permit intra-interface command will allow the traffic to flow, but you can give it a try. If that doesn't work get a Layer 3 switch or router to do the routing.
I issued the same-security-level permit inter-interface command, but I don?t think that?s the problem, I think it?s nat related
The command has same-security-level permit intra-interface. Anyway Cisco says it only works for VPN connections http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114
You are going to need a Layer 3 device(Router or L3 Switch) to route the traffic.
What you are trying is to route your inside traffic to remote subnets between different VPN endpoints, right? If that's case, you want to NAT that traffic? or you don't?
You could use only tha ASA for all the VPN instead of having the PIX and ASA. That way you don't have to worry about routing between them. The ASA can handle all the tunnels and much more that the PIX.
Cleartext throughput: Up to 60 Mbps
Concurrent connections: 7,500
56-bit DES IPsec VPN throughput: Up to 6 Mbps
168-bit 3DES IPsec VPN throughput: Up to 3 Mbps
128-bit AES IPsec VPN throughput: Up to 4.5 Mbps
Simultaneous VPN peers: 10*
Cisco ASA 5505 Adaptive Security Appliance Platform Capabilities and Capacities
Firewall throughput Up to 150 Mbps
VPN throughput Up to 100 Mbps
Concurrent sessions 10,000/25,000*
IPsec VPN peers 10; 25*
SSL VPN peer license levels** 10 or 25
Interfaces 8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports)
Virtual interfaces (VLANs) 3 (no trunking support) / 20 (with trunking support)*