Best way to accomplish this?



  • Simple enough network setup, single WAN, single LAN.

    I have an IPSec tunnel setup with a Cisco ASA 5505 currently to an offsite facility that shares the same internal IP address's that I am using in my office, 172.16.x.x, so the ASA is doing NAT/PAT for me.

    I have 5 IP Address's I can use, so one is on the ASA outside, one is on the PFSense WAN, both lead to a switch to my ISP.

    Both connections work fine independently.

    Currently my setup does not work well, I will describe the setup:

    In PFSense I have a firewall rule setup for traffic intended for the offsite facility, to use a gateway with the ASA's internal IP

    This works as my internal clients can access the sites that I need to.

    However, when uploading files larger than 60kb, the uploads from my site will fail, timing out.

    I cannot use the ASA as my primary firewall as it has a licensed IP host limit of 10, and I have more than 70 internal clients.

    How should I go about troubleshooting/diagnosing this problem? I need to have this fixed and working 100% ASAP.

    Should I ditch the ASA and configure the IPSec vpn on the pfsense box?

    I am running 2.0-BETA1
    built on Tue May 11 09:56:08 EDT 2010

    Thank you for any help!



  • If nothing else, I'd try updating your pfSense install. RC1 is very, very, old and a lot of bugs have been fixed since.



  • if I manually add a route on the client PC's, the VPN works perfectly.

    
    route add x.x.0.0 mask 255.255.0.0 172.16.0.2
    route add x.x.0.0 mask 255.255.0.0 172.16.0.2
    
    

    However, I'm sure I'll run into the license issue with the ASA as my box only allows 10 user (internal IP's) to access the internet (or VPN tunnel).

    there has to be a way to do this in pfsense.



  • Have you updated your pfSense install yet?

    Have you configured it to NAT the OpenVPN interface?



  • @Cry:

    Have you updated your pfSense install yet?

    Have you configured it to NAT the OpenVPN interface?

    no, I have not updated.

    can you explain what NAT'ing the OpenVPN interface would do for me? I'm not using OpenVPN.



  • Sorry, for some reason I thought you were using OpenVPN.

    If you search the IPsec forum you should find some assistance in NATing the IPsec tunnel traffic. Do update before you ask for any more help, since as I've said many bugs have been fixed since Beta1.



  • @Cry:

    Sorry, for some reason I thought you were using OpenVPN.

    If you search the IPsec forum you should find some assistance in NATing the IPsec tunnel traffic. Do update before you ask for any more help, since as I've said many bugs have been fixed since Beta1.

    The cisco ASA does the PAT/NAT necessary for the tunnel, I just need the pfsense to firect traffic to the tunnel for the clients.

    I have not setup the IPsec tunnel on the pfsense box so Im not understanding why my thread was moved here.

    As I understand the IPsec implementation on pfsense does not support my config as IP ranges on either side of the tunnel match.

    The ASA is working perfectly with the static routes added that I mentioned in my previous post, so the tunnel setup is fine, I just need to go through the pfsense as gateway to trick the ASA into allowing more than 10 clients to go through it.



  • @Blind:

    The cisco ASA does the PAT/NAT necessary for the tunnel, I just need the pfsense to firect traffic to the tunnel for the clients.

    But if your pfSense isn't doing NAT then all the hosts behind it will count towards that client limit as they'll be visible.

    @Blind:

    I have not setup the IPsec tunnel on the pfsense box so Im not understanding why my thread was moved here.

    Because your post made it sound like you've set up an IPsec tunnel between the Cisco and the pfSense. I think it's time for a diagram so we know exactly what your setup is.

    @Blind:

    As I understand the IPsec implementation on pfsense does not support my config as IP ranges on either side of the tunnel match.

    The ASA is working perfectly with the static routes added that I mentioned in my previous post, so the tunnel setup is fine, I just need to go through the pfsense as gateway to trick the ASA into allowing more than 10 clients to go through it.

    From where? How is the pfSense host connected to the Cisco? How are the clients connected to the pfSense host?


Locked