Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 463
  • Last Modified:

Cisco ASA 5505

Need to make a config change on a Cisco ASA, here is what I need help with as I'm no Cisco admin!!
I have a cable modem attached to a Cisco ASA 5505, this provides access to several systems, what I need is to add another router with a PTP VPN and its own IP from the ISP using the same modem.
I would like to configure one of the ASA ports and configure it as a pass-trough port like a hub where the second router gets the up-link to the ISP. I don't know if this is possible or not I was hoping I wouldn't need to buy a switch where I would go from the modem to the switch and the ASA and new router attached to the switch. any help would be appreciated.
0
atorex
Asked:
atorex
  • 6
  • 5
  • 4
2 Solutions
 
Cyclops3590Commented:
i suppose its possible but let me make sure I understand what you're trying to do.  you just want to do site to site vpn (does PTP = point to point) from your site to another site correct?  If so, the ASA can do that with ease.  same as a router would do it, except pry even easier since you don't have to deal with all the complexities of going thru the ASA to do it.  
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

however if you actually meant PPTP VPN, then here you go
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
0
 
asavenerCommented:
cable modem attached to a Cisco ASA 5505... add another router
In my experience, this is unlike to work.  Most cable modems will only communicate with a single MAC address, and require a reboot if the networking equipment behind them changes.

I think you need to put the router on the inside interface of the ASA, and publish the IPSec ports.

As mentioned above, the ASA is capable of running an IPSec VPN.  It is not capable of using GRE tunnel interfaces, though, so you may still need another router.
0
 
atorexAuthor Commented:
True, but the current ASA is being used for another project and cant be used for the PTP, the router was sent reconfigured for the PTP, we have an assigned IP from the ISP and this modem does not lock to a MAC, this is a business account not home account.
It will work if I add a switch in front just didn't want to do that if possible.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
atorexAuthor Commented:
sorry PTP as in Point to Point VPN, site to site.
0
 
asavenerCommented:
I've seen many business account cable modems that still could only access one MAC.  Just sayin'.

But you should be able to accomplish what you're asking to do, as long as there is an unused port on the ASA.

Can you provide the configuration?
0
 
Cyclops3590Commented:
in that case you just need to configure port 500/udp (IKE; phase 1) and protocol 50 (ESP) or protocol 51 (AH) (IPSec; phase 2) though I would use ESP as you actually get encryption to be translated and passed thru the asa to the router.  however, that is IF you only have a single public IP.  if you can designate a public IP to the router I would recommend that and just pass everything on via a static nat and then allow the traffic necessary in the ACL on the asa.
0
 
atorexAuthor Commented:
Yes there are two ports available, I will have to log in and see if I can pull the config and provide it.
0
 
atorexAuthor Commented:
Thanks Cyclops3590, you just went right over my head with most of that, I do have a public IP for the router how do I go about setting this up?
0
 
asavenerCommented:
in that case you just need to configure port 500/udp (IKE; phase 1) and protocol 50 (ESP) or protocol 51 (AH) (IPSec; phase 2)
If it goes through NAT, it will use UDP 500 for ISAKMP and UDP 4500 for the data packets.  (Look up "IPSec NAT traversal.")
0
 
Cyclops3590Commented:
true, but that is for remote access, not site to site.  L2L should never be put thru NAT-T even if you can.  you control all the devices so why do it?  NAT-T is used because you have a client going thru a NAT device you have no control over.

if you have a static ip already assigned to the router then you configure a static NAT on the ASA for that public IP assigned to the private (internal) IP assigned to the router.  then create an ACL that allows 500/udp and protocol 50 (or just make it easy and allow ip any host router-pub-ip.  then create the site to site (L2L) on the router to the other end.

ASA
static IP mapping router public IP to private IP
ACL allowing traffic to router public IP for site to site vpn

router
vpn configuration

other end of vpn
vpn configuration to router public ip

edit:  i agree that nat'ing causes issues during the sa negotiations because IP address is part of the authentication process.  but we'd rather have vpn passthrough.  regardless, I'd rather manipulate routing on the asa, assign the public IP to the router on the inside than deal with the overhead of nat-t.  this is more to my personal bias against nat-t though.
0
 
Cyclops3590Commented:
follow asavener's advice and toss 4500/udp in the mix.  looking thru things, since you can't put the site to site vpn on the asa, allowing 500/udp and 4500/udp and using nat-t will be your easiest route.  

i won't force my personal bias on you; i just have never liked it which is why I avoid talking about it accept for RA which you have no choice.
0
 
atorexAuthor Commented:
I think placing a 4 port switch in front of the ASA and router may be the best or quickest way to go!
0
 
Cyclops3590Commented:
i wouldn't go with too cheap of one.  while the dlink, linksys, netgear, etc. ones you get at bestbuy will work, their performance isn't near as good as the ones you buy when getting "enterprise" level managed switches.  though, yes, that would be your easiest method (as long as the modem let's that work).
0
 
asavenerCommented:
Any switch made in the last few years should have plenty of capacity for a cable Internet connection.
0
 
Cyclops3590Commented:
i just raised the concern not due to capacity but due to reliability.  SOHO unmanaged switches are typically more unreliable and don't perform near as well as Enterprise managed switches.  It has more to do with switching mechanisms used, quality of hardware, buffer sizes, etc which all leads into more latency which, to me, is the larger concern when deciding what kind of device to put in there.  I would rather buy a second hand cisco 2900 series switch than use a SOHO switch, but that's just me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now