Solved

Cisco ASA 5505

Posted on 2013-05-14
15
446 Views
Last Modified: 2013-05-14
Need to make a config change on a Cisco ASA, here is what I need help with as I'm no Cisco admin!!
I have a cable modem attached to a Cisco ASA 5505, this provides access to several systems, what I need is to add another router with a PTP VPN and its own IP from the ISP using the same modem.
I would like to configure one of the ASA ports and configure it as a pass-trough port like a hub where the second router gets the up-link to the ISP. I don't know if this is possible or not I was hoping I wouldn't need to buy a switch where I would go from the modem to the switch and the ASA and new router attached to the switch. any help would be appreciated.
0
Comment
Question by:atorex
  • 6
  • 5
  • 4
15 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
i suppose its possible but let me make sure I understand what you're trying to do.  you just want to do site to site vpn (does PTP = point to point) from your site to another site correct?  If so, the ASA can do that with ease.  same as a router would do it, except pry even easier since you don't have to deal with all the complexities of going thru the ASA to do it.  
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

however if you actually meant PPTP VPN, then here you go
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
cable modem attached to a Cisco ASA 5505... add another router
In my experience, this is unlike to work.  Most cable modems will only communicate with a single MAC address, and require a reboot if the networking equipment behind them changes.

I think you need to put the router on the inside interface of the ASA, and publish the IPSec ports.

As mentioned above, the ASA is capable of running an IPSec VPN.  It is not capable of using GRE tunnel interfaces, though, so you may still need another router.
0
 

Author Comment

by:atorex
Comment Utility
True, but the current ASA is being used for another project and cant be used for the PTP, the router was sent reconfigured for the PTP, we have an assigned IP from the ISP and this modem does not lock to a MAC, this is a business account not home account.
It will work if I add a switch in front just didn't want to do that if possible.
0
 

Author Comment

by:atorex
Comment Utility
sorry PTP as in Point to Point VPN, site to site.
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
I've seen many business account cable modems that still could only access one MAC.  Just sayin'.

But you should be able to accomplish what you're asking to do, as long as there is an unused port on the ASA.

Can you provide the configuration?
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
in that case you just need to configure port 500/udp (IKE; phase 1) and protocol 50 (ESP) or protocol 51 (AH) (IPSec; phase 2) though I would use ESP as you actually get encryption to be translated and passed thru the asa to the router.  however, that is IF you only have a single public IP.  if you can designate a public IP to the router I would recommend that and just pass everything on via a static nat and then allow the traffic necessary in the ACL on the asa.
0
 

Author Comment

by:atorex
Comment Utility
Yes there are two ports available, I will have to log in and see if I can pull the config and provide it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:atorex
Comment Utility
Thanks Cyclops3590, you just went right over my head with most of that, I do have a public IP for the router how do I go about setting this up?
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
in that case you just need to configure port 500/udp (IKE; phase 1) and protocol 50 (ESP) or protocol 51 (AH) (IPSec; phase 2)
If it goes through NAT, it will use UDP 500 for ISAKMP and UDP 4500 for the data packets.  (Look up "IPSec NAT traversal.")
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
true, but that is for remote access, not site to site.  L2L should never be put thru NAT-T even if you can.  you control all the devices so why do it?  NAT-T is used because you have a client going thru a NAT device you have no control over.

if you have a static ip already assigned to the router then you configure a static NAT on the ASA for that public IP assigned to the private (internal) IP assigned to the router.  then create an ACL that allows 500/udp and protocol 50 (or just make it easy and allow ip any host router-pub-ip.  then create the site to site (L2L) on the router to the other end.

ASA
static IP mapping router public IP to private IP
ACL allowing traffic to router public IP for site to site vpn

router
vpn configuration

other end of vpn
vpn configuration to router public ip

edit:  i agree that nat'ing causes issues during the sa negotiations because IP address is part of the authentication process.  but we'd rather have vpn passthrough.  regardless, I'd rather manipulate routing on the asa, assign the public IP to the router on the inside than deal with the overhead of nat-t.  this is more to my personal bias against nat-t though.
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
follow asavener's advice and toss 4500/udp in the mix.  looking thru things, since you can't put the site to site vpn on the asa, allowing 500/udp and 4500/udp and using nat-t will be your easiest route.  

i won't force my personal bias on you; i just have never liked it which is why I avoid talking about it accept for RA which you have no choice.
0
 

Author Comment

by:atorex
Comment Utility
I think placing a 4 port switch in front of the ASA and router may be the best or quickest way to go!
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 250 total points
Comment Utility
i wouldn't go with too cheap of one.  while the dlink, linksys, netgear, etc. ones you get at bestbuy will work, their performance isn't near as good as the ones you buy when getting "enterprise" level managed switches.  though, yes, that would be your easiest method (as long as the modem let's that work).
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
Comment Utility
Any switch made in the last few years should have plenty of capacity for a cable Internet connection.
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
i just raised the concern not due to capacity but due to reliability.  SOHO unmanaged switches are typically more unreliable and don't perform near as well as Enterprise managed switches.  It has more to do with switching mechanisms used, quality of hardware, buffer sizes, etc which all leads into more latency which, to me, is the larger concern when deciding what kind of device to put in there.  I would rather buy a second hand cisco 2900 series switch than use a SOHO switch, but that's just me.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 Vlan create. 3 49
Watchguard XTM 2 50
Dyndns Configuration 3 48
Cisco ACS propagation to secondaries in cluster 2 31
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now