Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
2
Replies

ASA 5505 Routing IP port

yleclerc2011
Level 1
Level 1

‎08-23-2011 08:21 AM

I am deployting a AS 5505 unit.  It is connecting a Site to Site LAN but all the traffice needs to "routed" on the "outside"  network.

Example: 

ASA 5505 LAN IP:     192.168.11.1

(

Tunnel:   xxx.xxx.xxx.150         ->    yyy.yyy.yyy.50                           (Completed!)

Network Traffic:  xxx.xxx.ccc.160   ---> yyy.yyy.yyy.50                       (Traffic is working.)

Network Printing:   yyy.yyy.yyy.50   ---> yyy.yyy.yyy.51 / tcp 9100     ( Connection denied,  ...  flags SYN on interface outside )

Prnter NAT access:  yyy.yyy.yyy.51 --> 192.168.1.254

Where / how do I solve this?

Labels:
0 Helpful
2 Replies 2

raga.fusionet
Level 4
Level 4

‎08-23-2011 10:29 AM

I dont think we got your question. Do you have the same subnet on both sides of the tunnel?

Could you share more about your configs ? It the tunnel is up and working for some traffic but not for other, either your crypto ACL or your nonat ACL needs to be modified (assuming that internal routing is properly configured).

0 Helpful

yleclerc2011
Level 1
Level 1
In response to raga.fusionet

‎08-23-2011 10:59 AM

Okay, maybe my question is "vague."

My client needs to connect to another network completely "out" of their control (or mine.)

They have WAN IP  addressses yyy.yyy.yyy.50 to 54 (subnet mask: 255.255.255.248). locally.

The remote "network" is first creating a tunnel between the "main" IP address "yyy.yyy.yyy.50" from "xxx.xxx.xxx.150." This completes successfully the IPSec connections.

Then, the "remote" network is sending network traffic from xxx.xxx.ccc.160 to yyy.yyy.yyy.50.   This appears to be working as the "other" VPN adiministrator can "ping" the local PC's internal IP address of 192.168.11.110.

Here is the next step.  The remote network then does not use the local "private" addresses to "route" to a printer (192.168.11.254.)  They are sending the printer "traffic" between two external IP addresses (yyy.yyy.yyy.50 ---> yyy.yyy.yyy.51.)  This is not working ans the log is stating:

host/{ip port protocol}|printer/9100|Inbound TCP connection denied from host/52092 to printer/9100 flags SYN on interface outside.

(note: host is network object yyy.yyy.yyy.50  ---- printer is yyy.yyy.yyy.51    )

Then, I need to "port forward" correctly IP 9100 from yyy.yyy.yyy.51 o 192.168.11.254.

0 Helpful
Customers Also Viewed These Support Documents