Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ASA 5505 Routing question

ASA 5505 now includes routing that the pix didn't support. My question is it possible to route via a static entry to an IP address setup across a lan to lan VPN location. ASA allows the entry but doesn't allow the traffic. ASA is using PAT.

4 REPLIES
Hall of Fame Super Blue

Re: ASA 5505 Routing question

Hi Mark

If this is a standard L2L setup you don't need a route on the ASA, you just need to make sure the IP address is included in your crypto map access-lst which tells the ASA which traffic to send down the tunnel.

As long as traffic destined for the IP ends up at the ASA the IPSEC configuration will do the rest.

Jon

New Member

Re: ASA 5505 Routing question

The translated address is 10.0.42.15 and the tunnel is setup with 10.0.42.0 255.255.255.0. But It's not working. I thought because the traffic is translated and then encapsulated through the tunnel additional settings might be required. Plases advise.

Hall of Fame Super Blue

Re: ASA 5505 Routing question

Mark

Could you post some more details ie.

source IP address, destination address, Natting that takes place on the ASA, crypto access-list etc.

You should not need to add explicit routes.

Jon

New Member

Re: ASA 5505 Routing question

Here is part of the config:

name 10.0.42.15 Daymas01

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp Daymas01 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_in in interface outside

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

service-policy global_policy global

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

Goal is to map SMTP traffic from the outside interface on to the vpn tunnel to 10.0.42.15.

Thanks for reviewing!

126
Views
0
Helpful
4
Replies
CreatePlease to create content