cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2213
Views
0
Helpful
3
Replies

ASA 5505 - all traffic through one VPN tunnel? NATs, Firewall rules help..

gregatkins1968
Level 1
Level 1

ASA Version 8.2(5)

A customer we are working with has a license restriction on his ASA to only allow two interfaces.  We created three with one of those being restricted.  One inside security network interface

A MPLS interface to create a VPN tunnel across our MPLS

An outside interface that is set to block traffic to the MPLS interface and handle only Internet traffic. 

Their security app uses the MPLS via VPN tunnel to talk across the state without issue.  I was hoping that the ASA would use the inside to MPLS interfaces for the VPN (which is does) and outside interface for all other traffic via a default route.  The weird thing is if I clear the ASA ARP table and surf the net it works, but the second I start the app that uses the VPN tunnel the communication with the Internet stops.   If I close the security app, clear the ARP, and relaunch the browser all is good again. The second I start the security app that uses the local network to remote network VPN the ASA can't understand how to get out to the Internet until I clear the ARP tables again.

I'm thinking its all related to the licensing restriction so if I were to route all traffic through the VPN how would the NAT statements be on the other end (or sending end).  I have a feeling it can get complicated.

The goal is to disconnect his DSL and route everything across our MPLS from remote location B to location A (which is the main office).

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I am not sure what this application we are talking about is. Is it perhaps a VPN Client software? If it is then it could even be that you are connected to some other network where all of your hosts traffic is forwarded and therefore the Internet traffic isnt forwarded through your ASA Internet gateway at all.

Have you tried connecting both with the host that is facing the problem at the moment and with some other host that is not using the application through the ASA Internet connection?

Since you are using the Base License and have set the WAN interface to not forward traffic to MPLS interface this means that

  • Hosts behind WAN cant initiate traffic to hosts behind MPLS
  • Hosts behind MPLS and LAN can initiate connections towards WAN
  • Hosts behind MPLS and LAN can initiate connections both ways.

Also, the interface that holds the default route on the ASA is not counted towards the user limit.

So, if you have the 10 user limit I would imagine that hosts from behind MPLS and LAN interfaces will count towards your licensed limit. Is the MPLS connection L3 or L2? In other words is the ASAs MPLS link connected by some point to point link to some router (either local or remote) or is the MPLS interface part of a larger network segment directly?

You can check the user limit of your license with command

show version

You can show the current user/host amount with the command

show local-host

Check the very top of the output. It should mention how many hosts it sees behind local interface (MPLS and LAN)

- Jouni

We are using two Cisco ASA 5505s to create an VPN/IPSEC tunnel for the local and remote network to communicate.  I should have specificed that the "security app" is a database program that the building security uses to send information to the main office.  The users at the remote location are needing their clients to use the VPN tunnel to communicate with the database server at the main office.  At the same time, they want to route Internet traffic through that same VPN to the main office, and have it be handled by the cable modem.

The AT&T MPLS is layer 2 from our perspective, though the MPLS doesn't "see" the VPN tunnel traffic.  It is also a private connection that we own from AT&T.  Once it arrives at the main office they are wanting to route Internet traffic through the main office's cable connection, and of course local traffic would stay on the local network to talk to the database server.

I'm thinking if we put a DMZ license on our ASA it would clear up the problem, but the customer wants to remove the DSL circuit completely and use the VPN tunnel to as a default rotue for everything back to the main office.

Hi,

Have you taken the output of the "show local-host" from the ASA during the problem and after you have corrected the problem.

And is the userlimit currently 10 for the ASA?

I would like to confirm that is indeed a problem with the userlimit of the ASA unit before doing anything else.

Actually I had to double check and the documentation would seem to indicate that the traffic between MPLS and LAN should not count towards the limit. Only when MPLS and LAN hosts connect to WAN network they should be counted towards the limit. And it doesnt seem likely that any host from behind the MPLS link should be connecting through your WAN interface.

But as I said, using the "show local-host" command should tell us wether your are hitting the user limit of the ASA.

- Jouni