Cisco ASA 5505 internal host IPSec to external destination

I have an ASA 5505 running 8.4 code.

Several internal hosts need to make IPsec tunnels to an external destination.  The inside host is a "black box device" pre-configured to make the IPsec connection.

a) Is this possible - I see conflicting posts about hosts on the *inside* of an ASA making an IPsec tunnel to an external destination.

b) Assuming it is possible, can more than one inside host make a connection to the same destination.  I am guessing this is a "no" regardless of a)

My ACL on the outside interface is configured with the following (in addition to other items):

permit udp any any eq 500
permit udp any any eq 4500
permit udp any any eq 1701
permit esp any any
permit as any any
permit gre any any    <-- just for kicks...)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
You may also need to ad dIPSEC pass thorugh to the Firewalls inspection map
snowdog_2112Author Commented:
i have inspect ipsec-pass-thru on the global policy.

When I enable ipsec-pass-thru, however, I am no longer able to make a VPN Client connection *to* the ASA from an external client.

It seems to be a mutually exclusive configuration - internal hosts making NAT'd ipsec connections *outbound*, or remote clients making VPN client connections to the ASA itself.

Can anyone confirm this?

Is my only option a 1-to-1 NAT on the internal devices, each having its own tunnel to the same destination?  (i.e., I burn 3 public IP's for these stupid printer devices?)

please help!
Feroz AhmedSenior Network EngineerCommented:

You are defining a connectionless protocol in the above configuration and moreover you did not define access-group whenever you define ACL you will have to define AcessGroup at the same time you have done for permitting traffic if it is connection oriented  then you have to change the configuration as below on ASA :

ASA(Config-t)#access-list 101 permit tcp any any echo repy
ASA(Config-t)# access-group 101 in interface outside

check with the changes in ASA configuration .
snowdog_2112Author Commented:
I have access-group for the interfaces - I just did not include those in the thread.

The solution came from Cisco TAC.

The access-list on the outside interface has an ACE to allow the remote IP (i.e., the tunnel destination) to the object-group for the 3 internal "black box" devices ("printers").

2 of the "printers" are actually on the inside of ipsec tunnels connected to the outside interface of the Main ASA (i.e., each remote branch has a tunnel to Main, and each branch has one of these printers).

It works, I'm happy.

PM me if you need more information on the solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snowdog_2112Author Commented:
Solution came from Cisco
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.