Solved

Cisco ASA 5505

Posted on 2013-05-14
15
448 Views
Last Modified: 2013-05-14
Need to make a config change on a Cisco ASA, here is what I need help with as I'm no Cisco admin!!
I have a cable modem attached to a Cisco ASA 5505, this provides access to several systems, what I need is to add another router with a PTP VPN and its own IP from the ISP using the same modem.
I would like to configure one of the ASA ports and configure it as a pass-trough port like a hub where the second router gets the up-link to the ISP. I don't know if this is possible or not I was hoping I wouldn't need to buy a switch where I would go from the modem to the switch and the ASA and new router attached to the switch. any help would be appreciated.
0
Comment
Question by:atorex
  • 6
  • 5
  • 4
15 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39164448
i suppose its possible but let me make sure I understand what you're trying to do.  you just want to do site to site vpn (does PTP = point to point) from your site to another site correct?  If so, the ASA can do that with ease.  same as a router would do it, except pry even easier since you don't have to deal with all the complexities of going thru the ASA to do it.  
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

however if you actually meant PPTP VPN, then here you go
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
0
 
LVL 28

Expert Comment

by:asavener
ID: 39164543
cable modem attached to a Cisco ASA 5505... add another router
In my experience, this is unlike to work.  Most cable modems will only communicate with a single MAC address, and require a reboot if the networking equipment behind them changes.

I think you need to put the router on the inside interface of the ASA, and publish the IPSec ports.

As mentioned above, the ASA is capable of running an IPSec VPN.  It is not capable of using GRE tunnel interfaces, though, so you may still need another router.
0
 

Author Comment

by:atorex
ID: 39165687
True, but the current ASA is being used for another project and cant be used for the PTP, the router was sent reconfigured for the PTP, we have an assigned IP from the ISP and this modem does not lock to a MAC, this is a business account not home account.
It will work if I add a switch in front just didn't want to do that if possible.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:atorex
ID: 39165696
sorry PTP as in Point to Point VPN, site to site.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39165776
I've seen many business account cable modems that still could only access one MAC.  Just sayin'.

But you should be able to accomplish what you're asking to do, as long as there is an unused port on the ASA.

Can you provide the configuration?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39165802
in that case you just need to configure port 500/udp (IKE; phase 1) and protocol 50 (ESP) or protocol 51 (AH) (IPSec; phase 2) though I would use ESP as you actually get encryption to be translated and passed thru the asa to the router.  however, that is IF you only have a single public IP.  if you can designate a public IP to the router I would recommend that and just pass everything on via a static nat and then allow the traffic necessary in the ACL on the asa.
0
 

Author Comment

by:atorex
ID: 39165806
Yes there are two ports available, I will have to log in and see if I can pull the config and provide it.
0
 

Author Comment

by:atorex
ID: 39165823
Thanks Cyclops3590, you just went right over my head with most of that, I do have a public IP for the router how do I go about setting this up?
0
 
LVL 28

Expert Comment

by:asavener
ID: 39165890
in that case you just need to configure port 500/udp (IKE; phase 1) and protocol 50 (ESP) or protocol 51 (AH) (IPSec; phase 2)
If it goes through NAT, it will use UDP 500 for ISAKMP and UDP 4500 for the data packets.  (Look up "IPSec NAT traversal.")
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39165926
true, but that is for remote access, not site to site.  L2L should never be put thru NAT-T even if you can.  you control all the devices so why do it?  NAT-T is used because you have a client going thru a NAT device you have no control over.

if you have a static ip already assigned to the router then you configure a static NAT on the ASA for that public IP assigned to the private (internal) IP assigned to the router.  then create an ACL that allows 500/udp and protocol 50 (or just make it easy and allow ip any host router-pub-ip.  then create the site to site (L2L) on the router to the other end.

ASA
static IP mapping router public IP to private IP
ACL allowing traffic to router public IP for site to site vpn

router
vpn configuration

other end of vpn
vpn configuration to router public ip

edit:  i agree that nat'ing causes issues during the sa negotiations because IP address is part of the authentication process.  but we'd rather have vpn passthrough.  regardless, I'd rather manipulate routing on the asa, assign the public IP to the router on the inside than deal with the overhead of nat-t.  this is more to my personal bias against nat-t though.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39165990
follow asavener's advice and toss 4500/udp in the mix.  looking thru things, since you can't put the site to site vpn on the asa, allowing 500/udp and 4500/udp and using nat-t will be your easiest route.  

i won't force my personal bias on you; i just have never liked it which is why I avoid talking about it accept for RA which you have no choice.
0
 

Author Comment

by:atorex
ID: 39166078
I think placing a 4 port switch in front of the ASA and router may be the best or quickest way to go!
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 250 total points
ID: 39166091
i wouldn't go with too cheap of one.  while the dlink, linksys, netgear, etc. ones you get at bestbuy will work, their performance isn't near as good as the ones you buy when getting "enterprise" level managed switches.  though, yes, that would be your easiest method (as long as the modem let's that work).
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
ID: 39166121
Any switch made in the last few years should have plenty of capacity for a cable Internet connection.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39166178
i just raised the concern not due to capacity but due to reliability.  SOHO unmanaged switches are typically more unreliable and don't perform near as well as Enterprise managed switches.  It has more to do with switching mechanisms used, quality of hardware, buffer sizes, etc which all leads into more latency which, to me, is the larger concern when deciding what kind of device to put in there.  I would rather buy a second hand cisco 2900 series switch than use a SOHO switch, but that's just me.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question