01-10-2008 12:14 PM - edited 03-05-2019 08:24 PM
ASA 5505 now includes routing that the pix didn't support. My question is it possible to route via a static entry to an IP address setup across a lan to lan VPN location. ASA allows the entry but doesn't allow the traffic. ASA is using PAT.
01-10-2008 12:20 PM
Hi Mark
If this is a standard L2L setup you don't need a route on the ASA, you just need to make sure the IP address is included in your crypto map access-lst which tells the ASA which traffic to send down the tunnel.
As long as traffic destined for the IP ends up at the ASA the IPSEC configuration will do the rest.
Jon
01-10-2008 02:26 PM
The translated address is 10.0.42.15 and the tunnel is setup with 10.0.42.0 255.255.255.0. But It's not working. I thought because the traffic is translated and then encapsulated through the tunnel additional settings might be required. Plases advise.
01-10-2008 02:29 PM
Mark
Could you post some more details ie.
source IP address, destination address, Natting that takes place on the ASA, crypto access-list etc.
You should not need to add explicit routes.
Jon
01-11-2008 05:42 AM
Here is part of the config:
name 10.0.42.15 Daymas01
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Daymas01 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface outside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-DES-SHA
service-policy global_policy global
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Goal is to map SMTP traffic from the outside interface on to the vpn tunnel to 10.0.42.15.
Thanks for reviewing!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: