Routing to Internal Networks

Unanswered Question
Jul 4th, 2008
User Badges:

I have an ASA5505 running 8.0(3) and it is currently the default gateway for the network. However, we need to get to some networks that are attached to a router that was inside the network. So, I have the routes set on the ASA to go to this other router for these networks. I know in older versions of the Pix routing traffic in and then back out the same interface was not allowed but this code has the Intra-Interface routing option which I have enabled but still doesn't work. Will this work or is the Intra-Interface routing option there for some other purpose?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Mike,


The intra-interface option is primaryly used for hosts on the same IP subnet to be able to talk to each other via the ASA. What you are doing is differnet - you want sperate subnets....the ASA is a firewall - not a router.


To be honest It would probably make more sense to move the network default gateway off the ASA and onto a core/local layer 3 routing device?


That was all routing updates/decisions & configurations are easier!!


HTH

mwkirk Fri, 07/04/2008 - 07:28
User Badges:

I have heard the argument numerous times that the ASA/Pix is not a router but in a small office situation I wouldn't necessarily want to worry about having to put in an additional piece of hardware. Also, in this situation the number of machines is small enough that I can just put a static route on them to get what I need for the machines. The only problem I have right now is a couple of printers which I cannot set a static route on and the default gateway needs to still point at the ASA because there are VPN users that will need to access the printer.


I think I may have gotten it to work just now anyway. I actually put a NAT exemption in for the inside network when going to the destination network on the other side of that router. The Packet tracer utility shows me it should be successful and before the nat exemption it plainly showed that it would fail. Also, I can ping over to hosts on the other side now which on Monday I will get the customer to check and see if the services they need access also work.

Actions

This Discussion