I was using an ASA5505 as my firewall/router and VPN server without any issues. I've had to change to using a different manufacturer's devices as my firewall/router so I changed the external IP address of the ASA5505 to an extra one.
This works when I connect to the VPN and try to access any other external systems. I can't access any of the internal systems as their default route points to the other firewall/router. If I change the default route on any of those systems to the ASA5505 then everything works but that's not a workable solution.
Any suggestions on how to work around this issue?
Here's the way my network is currently configured:
External network: 18.104.22.168-22.214.171.124
Internal network: 192.168.1.0/24
Firewall/router internal IP: 192.168.1.1
Firewall/router external IP: 126.96.36.199
ASA5505 internal IP: 192.168.1.200
ASA5505 external IP: 188.8.131.52
The ASA5505 is running 8.2.(5) and has a Security Plus license.
If necessary I could make the ASA5505 internal-only if that makes things easier.
You will have to forward UDP 500 , UDP 4500 and protocol ESP as well in order to successfully negotiate and pass the VPN traffic across intermediate device. Moreover, you dont have to create new isakmp profiles unless the ones present are not negotiating with the client. Hope that helps.
I have two site to site VPN tunnels passing through a 3825 router and they NAT fine without explicitly having a rule for ESP. If I recall, auto-NAT'ing ESP is what the "NAT-T" option does, which is usually enabled by default.
Of course, having a rule for ESP doesn't really hurt anything.
If you have your other vendor router/fw on top of your asa vpn fw then you can have that other vendor device as pass through device and NAT and you can have your ASA for only VPN. Also you need to make sure that you have the proper routing place to reach all the internal systems. If you describe more in detail about your problem then we will be able to solve your issue.
By looking at the information provided by you you have your ASA outside on the external network range and internal is connected to LAN. by this way if you have the proper routing in place for both internal and external then you shouldn't have any problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :