DMVPN Hub Behind ASA

Can somebody please send me a known working snippet of ASA config to support a DMVPN hub NAT'd behind an ASA. I tried for 2 days even with TAC and I was finally forced to put my DMVPN Hub out on the Internet with the IOS FW.
Basically the issue I was seeing was that ISAKMP would almost complete at the spoke, try to go to QM_IDLE and then start the ISAKMP process over. Tried different code revs, etc. The ASA is running 8.0.3. Works great as long as the ASA was not in the path.
Any help is appreciated.

Hey there I am trying to do the same type of setup with a 3845 behind an ASA5510/Sec plus and I am getting similar results.
I have access-lists permitting:
- ESP, ISAKMP, GRE, and 4500 to the router on the inside.
Have you made in head way to a solution?

Similar Messages

  • DMVPN: HUB's behind a LoadBalancer and Spoke-Spoke communication

    Hallo,
    we are planning a scaling DMVPN network for around 2000 spokes.
    Is it possible to install the HUB's behind a Load Balancer so that they are reachable only through 1 VIP address and ALSO the possibility of a direkt spoke-spoke communication when needed?
    I only found Phase 2 and SLB for HUBs but
    without a spoke-spoke communication.
    http://www.cisco.com/application/pdf/en/us/guest/products/ps6658/c1161/cdccont_0900aecd80313ca3.pdf
    see page 13 there is what we like to have but with the extension of spoke-spoke communication.
    regards
    Karlheinz

    I have been waiting for Cisco to get the spoke-spoke functionality working for this DMVPN HUBs behind load balancer environment. The traditional DMVPN with multiple HUBs does not really scale well, plus it is not very stable routing and NHRP wise.
    Would you care to tell more about your solution. As far as I know on a HUB you cannot have one tunnel for spoke to HUB connections and the other just for HUB-HUB, the NHRP requests from the spokes to find out about the other spoke public IP will not be forwarded between the tunnel interfaces on the HUB

  • DMVPN Hub and Spoke behind NAT device

    Hi All,
    I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
    But My case i involve in both situation.
    1) HUB have a Load Balancer (2 WAN Link) ISP A & B
    2) Spoke have Load Balancer (2 WAN Link) ISP A & B
    Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
    So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
    As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
    HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
    The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
    Any problem will face with this setup? Any guide?
    Sample config at HUB.
    interface Tunnel0
    bandwidth 1000
    ip address 172.16.1.1 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 600
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 0
    tunnel protection ipsec profile cisco
    interface Tunnel1
    bandwidth 1000
    ip address 172.17.1.1 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 600
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile cisco
    Spoke Config
    interface Tunnel0
    bandwidth 1000
    ip address 172.16.1.2 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map 172.16.1.1 199.1.1.1
    ip nhrp network-id 1
    ip nhrp holdtime 300
    ip nhrp nhs 172.16.1.1
    delay 1000
    tunnel source FastEthernet0/0
    tunnel destination 199.1.1.1
    tunnel key 0
    tunnel protection ipsec profile cisco
    interface Tunnel1
    bandwidth 1000
    ip address 172.17.1.2 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map 172.17.1.1 200.1.1.1
    ip nhrp network-id 2
    ip nhrp holdtime 300
    ip nhrp nhs 172.17.1.1
    delay 1500
    tunnel source FastEthernet0/0
    tunnel destination 200.1.1.1
    tunnel key 1
    tunnel protection ipsec profile cisco

    Hi Marcin,
    thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
    About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
    .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
    Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

  • DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

    Hi Guys,
    I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
    The Design :
    Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
    ||
    ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
    ||
    Switch
    ||
    LAN
    Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
    I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
    I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
    Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
    Thanks,
    Aj.

    Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
    All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
    1) what RProtocol r u using?
    a) It's OSPF
    2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
    a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
        (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
        (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
    3) are your tunnels config correctly? try show crypto ipsec sa
    a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
    4) on your hub'spoke do a debug ip icmp
    a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
    I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
    Additional to the info above, Please also note :
    I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
    So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
    From HUB router I'm able to ping clients behind Spokes.
    Does that give any Ideas ?
    Thanks in Advance.
    Aj.

  • DMVPN Hub Router Placement

    Any docs regarding best practices for placement of DMVPN Hub router. Should it be placed behind firewall, in a DMZ off of firewall or in parallel to firewall.
    Thanks in advance for any input.

    Paul,
    Check out Cisco Validated Design Solutions for best practices. Especially, the one for "Secure WAN".
    http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/networking_solutions_products_genericcontent0900aecd805f65bf.html
    Regards,
    Arul
    *Pls rate if it helps*

  • Running DMVPN Hub and Spoke on same router?

    My client has a project in which traffic flow is hierarchial in nature.  Using DMVPNs, the design is for a "center" router to be a DMVPN spoke to the cloud above it, and a DMVPN Hub to the cloud below it.  I have tried to lab this up, but no success.  I initially build the center router as a DMVPN spoke to teh upper cloud and all is well.  As soon as I had the second tunnel config (as the DMVPN hub to the lower cloud), the first tunnel goes down and my EIGRP flaps.  Im running EIGRP across the DMVPN tunnels.  The two DMVPN clouds are using different network IDs and are running separate EIGRP routing instances.
    I can post configs if desired - just wanted to see if anyone is doing this or knows whether it is possible. 
    Jeff          

    Hi,
    I know it is possible using two DMVPN clouds, but it seems that you need DMVPN phase 3 in this situation. This is suitable for the hierarchical model you want. Take a look at the following link
    http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
    Hope this helps.

  • DMVPN Hub 3945 without ISM card

    Does anyone have any experience with DMVPN hub running on a 3945 with no ISM card? Specifically wondering how many 881 model spokes it will support. The network makes heavy use of PIM-SM and is used primarily for voice and video. Assume throughput of 2M from each spoke.
    thank you, E

    I know this one is old, but what I don't see on your Firewall is AH and ESP, I only see GRE. Also are you trying to offload the IPSEC protection to this firewall?

  • Strange status of DMVPN HUB

    Hi all,
    I have 2 DMVPN HUBs and 20 spokes and on one of these have strange status of DMVPN - NHRP (what does it mean? i didn't find explanation what that status is bad or good, is it mean that spoke could'n get NBMA address of HUB through NHRP?). Could anyone explain what does it mean?
    #show dmvpn
    Interface: Tunnel4, IPv4 NHRP Details
    Type:Spoke, NHRP Peers:2,
    # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
         1        7.#.#.3        10.5.5.1    UP    1d18h     S
         1        7.#.#.4        10.5.5.2  NHRP    1d18h     S
    Spoke's configuration.
    interface Tunnel4
     bandwidth 15000
     ip address 10.5.5.20 255.255.255.0
     no ip redirects
     ip mtu 1416
     ip nhrp map multicast dynamic
     ip nhrp map multicast 7.#.#.3
     ip nhrp map multicast 7.#.#.4
     ip nhrp map 10.5.5.1 7.#.#.3
     ip nhrp map 10.5.5.2 7.#.#.4
     ip nhrp network-id 101
     ip nhrp nhs 10.5.5.1
     ip nhrp nhs 10.5.5.2
     zone-member security outside
     ip tcp adjust-mss 1380
     delay 100
     keepalive 10 3
     tunnel source GigabitEthernet0/2
     tunnel mode gre multipoint
     tunnel key 111000
     tunnel protection ipsec profile dmvpn

    Marcin,
    thank you again for quick reply)
    It very strange because i follow yours tshooting steps and what i got bellow:
    1.Spoke can ping NBMA address of two HUBs
    2. Every HUB can reach NBMA address of spoke
    3. I switch on debuging on spoke and HUBs and I see request packet of NHRP to every HUBs
    Debug on spoke:
    000332: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.1
    000333: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.1 to NBMA 7.#.#.3
    000334: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.#.#.3
    000335: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
    000336: May 23 10:47:53.408 MSK:       src: 10.5.5.20, dst: 10.5.5.1
    000337: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4 
    000338: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.1
    000339: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2
    000340: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
    000341: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.#.#.4
    000342: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
    000343: May 23 10:47:53.408 MSK:       src: 10.5.5.20, dst: 10.5.5.2
    000344: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4 
    000345: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.2
    000346: May 23 10:47:53.412 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4, changed state to up
    000347: May 23 10:47:53.412 MSK: NHRP: Receive Registration Reply via Tunnel4 vrf 0, packet size: 112
    000348: May 23 10:47:53.412 MSK: NHRP: netid_in = 0, to_us = 1
    000349: May 23 10:47:53.412 MSK: NHRP: NHS 10.5.5.1 Tunnel4 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E' 
    000350: May 23 10:47:53.412 MSK: NHRP: NHS-UP: 10.5.5.1
    000351: May 23 10:47:54.920 MSK: NHRP: Setting retrans delay to 4 for nhs  dst 10.5.5.2
    000352: May 23 10:47:54.920 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2 
    000353: May 23 10:47:54.920 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
    000354: May 23 10:47:54.920 MSK: NHRP: Encapsulation succeeded.  Tunnel IP addr 7.#.#.4
    000355: May 23 10:47:54.920 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
    000356: May 23 10:47:54.920 MSK:       src: 10.5.5.20, dst: 10.5.5.2
    and i don't see any logs related of this spoke on second HUB!
    So... NHRP packet loss on the way to second HUB,but i can't guess about reason why is happend

  • DMVPN Hub Router QoS

    Hello DMVPN Experts,
    As we knew DMVPN Hub routers can have per-tunnel QoS configuration for the spokes.
    But I am not sure the QoS configuration for the Hub site itself. I assume it should be seperated from the per-tunnel QoS and the service-policy should be applied at the physical WAN interfaces and tunnel interfaces? Need help please. Some sample configuration would be appreciated.
    Thanks
    Cedar

    Hi Joseph,
    I am afraid I am having a bit difficulty to understand and would like to hear more if you don't mind.
    We are on the same page that Per-Tunnel QoS let the spokes to control the traffics toward the hub site, which is considered inbound traffic from the WAN/Tunnel interfaces of hub router point of view. However, in order to control the inbound and/or outbound traffic of the WAN/Tunnel interfaces of the hub router, how should we configure seperate QoS configuration other than Per-Tunnel QoS templates, if we should? 
    Here is what I know so far based on ASR1000 document.
    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/asr1000/sec-conn-dmvpn-xe-3s-asr1000-book/sec-conn-dmvpn-per-tunnel-qos.html
    Restrictions for Per-Tunnel QoS for DMVPN
    • The class default shaper with the QoS service policy on a physical interface that is applied to the DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper on physical interfaces, and shaper on VLAN/subinterfaces.
    • QoS on a physical interface is limited only to the class default shaper on the physical interface. No other QoS configurations on the physical interface are supported when two separate QoS policies are applied to the physical and tunnel interfaces.
    • Addition of a QoS policy with a class default shaper on a physical interface is not supported when multiple QoS policies are utilized.
    • You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.
    • The class default shaper policy map on the main interface must be applied before the tunnel policy map is applied.
    • The class default shaper policy map must contain only the class class-default and shape commands.
    • The main interface policy map is checked for validity only when a QoS service policy is applied on the tunnel interface. The main interface policy map is not checked during a tunnel move or modification.
    • Adding new classes or features to the main interface policy map is not supported. Doing so, however, will not be blocked.
    After reading the above document, my understanding is that
    1. We could have seperate policy map for physical WAN interface.
    2. The policy-map for the physical WAN interface is limited to a class default shaper only.
    3. The policy-map for physical WAN interface must be applied at the physical WAN interface before the tunnel policy-maps are applied at the tunnel interface.
    But I am not 100% sure if it's correct.
    Thanks,
    Cedar

  • IPv6 WAN Adresses on DMVPN Hubs and Spokes

    Hi,
    I have one question about IPv6 and DMVPN. Let's assume we have a DMVPN Hub Site running IPv6 IP addresses on the WAN Interfaces and Spoke Sites running either IPv4 or IPv6 IP adresses on their WAN Interfaces.
    In IPv4 only Networks, the Tunnel Konfiguration looked like that:
    interface Tunnel 1
    <...>
    ip nhrp map multicast <IPv4 NMBA>
    ip nhrp map 10.0.10.1 <IPv4 NMBA>
    There are IPv6 nhrp commands as well, but they can only map an IPv6 Address to an IPv4 NMBA:
    interface Tunnel1
    <...>
    ipv6 nhrp map multicast <IPv4 NMBA>
    ipv6 nhrp map <IPv6 Tunnel Adress> <IPv4 NMBA>
    I'm wondering how you would configure DMVPN for a network using IPv6 on their WAN Interfaces ??
    Best regards,
    Thomas

    Thomas,
    VTI1(config-if)#ip nhrp map 1.2.3.4 ?  A.B.C.D     IP NBMA address  A.B.C.D     IP mask of destination  X:X:X:X::X  IPv6 NBMA address
    and
    VTI1(config-if)#ipv6 nhrp map 2001:db8::1/128 ?  A.B.C.D     IPv4 NBMA address  X:X:X:X::X  IPv6 NBMA address
    I _seem_to_remember_ this was added in 15.2T  but can't find it back.
    M.

  • DMVPN Hub on HSRP standby router

    I was wondering if a DMVPN Hub was able to provide redundancy on an HSRP standby router.
    I currently have an active tunnel to the standby, but am unable to update EIGRP..
    Thank You in adavnce..

    Check GRE keepalives is enabled or not, if enabled remove that, then check the routing updates.
    Check whether you allowed ESP, UDP 500, UDP 4500 and GRE on your access-list.
    Also Adjust the MTU size, using the cmd ?ip tcp adjust-mss 1360?
    Try these links:
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#eigrp
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a0080087026.html

  • Replacing the DMVPN hub router

    We are replacing our current 2921 router, Version 15.2(4)M2, with a 3925 Version 15.2(4)M6. It is the DMVPN hub router for 6 spoke routers. We cut and pasted the configuration from the old router to the new. We confirmed internet connectivity from clients on the inside. But none of the DMVPN tunnels will set up. As we were in a very short maintenance window we did not have a lot of time to troubleshoot and had to revert to the old router. Is there some procedure we need to implement to force the tunnels to come up?

    Because you are changing the Hardware and copy past the config. Spokes will not re register themselves at HUB until you reset them again. Then they will register themselves again in the NHRP table at the new HUB..

  • DMVPN HUB router behind NAT

    we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
    if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"
    Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
    i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

    Here is some additional infor to help
    hub config:
    interface Tunnel0
     bandwidth 512
     ip address "hubtunnelIP" 255.255.255.0
     no ip redirects
     ip nhrp authentication "XXX"
     ip nhrp map multicast dynamic
     ip nhrp network-id 1
     tunnel source GigabitEthernet0/1
     tunnel mode gre multipoint
     tunnel protection ipsec profile net1
    crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
    crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
     mode transport
    crypto ipsec profile net1
     set transform-set "mytransformset"
    Spoke config:
    crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
    crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
     mode tunnel
    crypto ipsec nat-transparency spi-matching
    crypto ipsec profile net1
     set transform-set "mytransformset"
    interface Tunnel0
     bandwidth 512
     ip address "spoketunnelIP" 255.255.255.0
     no ip redirects
     ip nhrp authentication "XXX"
     ip nhrp map multicast "Remote IP"
     ip nhrp map "hubtunnelIP" "Remote IP"
     ip nhrp network-id 1
     ip nhrp nhs "hubtunnelIP"
     tunnel source GigabitEthernet0/1
     tunnel mode gre multipoint
     tunnel protection ipsec profile net1 shared

  • How to Add Cisco 861's behind ASA 5505

    I will be setting up a VPN with a client soon.  They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505.  They are set up to be NATed.
    I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
    Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
    The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
    1. How can I assign this seperate public IP block to the ASA? Is it even possible?
    2. If not possible, what would other options be?
    3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
    Appreciate any help or suggestions.

    Hi,
    I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
    If you HAVE to do this as you described I would need some additional information
    What software version is your ASA?
    Do you have a Base License version of the ASA5505?Can confirm this with "show version" command
    In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)
    The first thing mentioned above would be needed to confirm what NAT format to use.
    Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
    There are 2 ways to go.
    Option 1.
    Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
    Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.
    Option 2.
    Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"
    Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
    - Jouni

  • Performance Issue behind ASA 5520

    Hi Community!
    I've got an ASA 5520 (8.4.3) Failover Cluster.
    Behind this ASA i have a couple of DMZ Networks. In one of these Networks (lets call it DMZ-A) i have an performance issue.
    So, in DMZ-A i have 2 Windows2012R2 servers.
    IP Server1: 10.0.233.10/24
    IP Server2: 10.0.233.12/24
    If i do an RDP session to Server1 from my Client Computer (at the inside Network - IP: 10.0.20.199) it is really slow. Also File Transfer is very slow. Ping gives me a "normal" replay.
    If i do an RDP session to Server2 from my Client Computer everything works normal.
    If i do an RDP session from Server2 to Server1 everything works normal.
    I did a apcket capture to both servers, and when i analyse them with wireshark there is (at a sertain packet) a big difference. -> see attached files
    ASA_10 -> 10.0.233.10
    ASA_12 -> 10.0.233.12
    Can anybody help me finding out whats going wong there?
    Thanks a lot!!

    Hi ... thanks for the answer.
    Here is the Config. Hope i got all the relevant things in it.
    Somehow the NAT statement causes the trouble:
    object network 10.0.233.10
    nat (dmz233,outside) static XXX.XXX.XXX.133
    Because if i delete this statement, the RDP connection to the server works normal.
    I delete all the network objects and object groups.
    Also all the VPN configs are missing.
    DELETED THE ASA CONFIG BECAUSE I SOLVED THE PROBLEM!!!! -> misconfiguration
    Thanks !!

Maybe you are looking for