• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 386
  • Last Modified:

Cisco ASA 5505 internal host IPSec to external destination

I have an ASA 5505 running 8.4 code.

Several internal hosts need to make IPsec tunnels to an external destination.  The inside host is a "black box device" pre-configured to make the IPsec connection.

a) Is this possible - I see conflicting posts about hosts on the *inside* of an ASA making an IPsec tunnel to an external destination.

b) Assuming it is possible, can more than one inside host make a connection to the same destination.  I am guessing this is a "no" regardless of a)

My ACL on the outside interface is configured with the following (in addition to other items):

permit udp any any eq 500
permit udp any any eq 4500
permit udp any any eq 1701
permit esp any any
permit as any any
permit gre any any    <-- just for kicks...)
  • 3
1 Solution
Pete LongTechnical ConsultantCommented:
You may also need to ad dIPSEC pass thorugh to the Firewalls inspection map

snowdog_2112Author Commented:
i have inspect ipsec-pass-thru on the global policy.

When I enable ipsec-pass-thru, however, I am no longer able to make a VPN Client connection *to* the ASA from an external client.

It seems to be a mutually exclusive configuration - internal hosts making NAT'd ipsec connections *outbound*, or remote clients making VPN client connections to the ASA itself.

Can anyone confirm this?

Is my only option a 1-to-1 NAT on the internal devices, each having its own tunnel to the same destination?  (i.e., I burn 3 public IP's for these stupid printer devices?)

please help!
Feroz AhmedSenior Network EngineerCommented:

You are defining a connectionless protocol in the above configuration and moreover you did not define access-group whenever you define ACL you will have to define AcessGroup at the same time you have done for permitting traffic if it is connection oriented  then you have to change the configuration as below on ASA :

ASA(Config-t)#access-list 101 permit tcp any any echo repy
ASA(Config-t)# access-group 101 in interface outside

check with the changes in ASA configuration .
snowdog_2112Author Commented:
I have access-group for the interfaces - I just did not include those in the thread.

The solution came from Cisco TAC.

The access-list on the outside interface has an ACE to allow the remote IP (i.e., the tunnel destination) to the object-group for the 3 internal "black box" devices ("printers").

2 of the "printers" are actually on the inside of ipsec tunnels connected to the outside interface of the Main ASA (i.e., each remote branch has a tunnel to Main, and each branch has one of these printers).

It works, I'm happy.

PM me if you need more information on the solution.
snowdog_2112Author Commented:
Solution came from Cisco
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now