Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
4
Replies

ASA 5505 Routing question

mmccloud
Level 1
Level 1

‎01-10-2008 12:14 PM - edited ‎03-05-2019 08:24 PM

ASA 5505 now includes routing that the pix didn't support. My question is it possible to route via a static entry to an IP address setup across a lan to lan VPN location. ASA allows the entry but doesn't allow the traffic. ASA is using PAT.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-10-2008 12:20 PM

Hi Mark

If this is a standard L2L setup you don't need a route on the ASA, you just need to make sure the IP address is included in your crypto map access-lst which tells the ASA which traffic to send down the tunnel.

As long as traffic destined for the IP ends up at the ASA the IPSEC configuration will do the rest.

Jon

0 Helpful

mmccloud
Level 1
Level 1
In response to Jon Marshall

‎01-10-2008 02:26 PM

The translated address is 10.0.42.15 and the tunnel is setup with 10.0.42.0 255.255.255.0. But It's not working. I thought because the traffic is translated and then encapsulated through the tunnel additional settings might be required. Plases advise.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mmccloud

‎01-10-2008 02:29 PM

Mark

Could you post some more details ie.

source IP address, destination address, Natting that takes place on the ASA, crypto access-list etc.

You should not need to add explicit routes.

Jon

0 Helpful

mmccloud
Level 1
Level 1
In response to Jon Marshall

‎01-11-2008 05:42 AM

Here is part of the config:

name 10.0.42.15 Daymas01

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp Daymas01 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_in in interface outside

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

service-policy global_policy global

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

Goal is to map SMTP traffic from the outside interface on to the vpn tunnel to 10.0.42.15.

Thanks for reviewing!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card