Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
4
Replies

5505 to 5506 SOHO w/ VPN

Go to solution
billy_vaughn
Level 1
Level 1

‎03-26-2020 06:37 AM

Hello, I've used the ASA 5505 for years and recently got some 5506-X units in to setup as home office devices for users working from home. I knew there were some differences but I'm confused on a few things when comparing the configs between the 5505 and the 5506. I understand the bridge groups to tie the interfaces together but I'm confused about NAT and the ACL's. I've attached two sanitized configs. The 5505 setup works like a charm. Do I need these nat statements if I'm routing everything over a tunnel? Also, would I need an ACL for each interface, something like access-list inside_1 permit any any? Let me know if there are any questions.

nat (inside_1,outside) source dynamic any interface dns
nat (inside_2,outside) source dynamic any interface dns
nat (inside_3,outside) source dynamic any interface dns
nat (inside_4,outside) source dynamic any interface dns
nat (inside_5,outside) source dynamic any interface dns
nat (inside_6,outside) source dynamic any interface dns
nat (inside_7,outside) source dynamic any interface dns

 

Remote setup would  be one network on inside with a phone and PC and the DHCP for outside and device brings up tunnel. Full routing across VPN tunnel.

 

Thanks in advance!

Preview file
4 KB
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 10:43 AM - edited ‎03-26-2020 12:11 PM

Hi,

 

  I cleaned up your config, see attached.

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 10:43 AM - edited ‎03-26-2020 12:11 PM

Hi,

 

  I cleaned up your config, see attached.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
billy_vaughn
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 11:35 AM

Sorry, but I accidentally click the accept button. This isn't working. You can't use the BVI address in a NAT statement. 

 

0 Helpful

Go to solution
billy_vaughn
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 11:36 AM

I thought I'd add a screenshot. I did add nameif inside_1 back to in1/2.

 

tracysmithermanvpn(config)# nat (?

configure mode commands/options:
Current available interface(s):

any Global address space
inside_1 Name of interface GigabitEthernet1/2
outside Name of interface GigabitEthernet1/1
tracysmithermanvpn(config)# nat (
ERROR: % Incomplete command
tracysmithermanvpn(config)#

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 12:13 PM

Hi,

 

   Failed to see we speak about 5506. I re-attached your configuration, as you're sending all traffic through the tunnel (including Internet traffic if there is such), there is no need for any NAT statements at all (for Internet access, or exclusions for VPN traffic).

 

Regards,

Cristian Matei.

Preview file
5 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card