04-06-2009 10:43 PM - edited 03-04-2019 04:16 AM
Hi,
I have a quesiton. I want to make the users on remote sites to authenticate on the ASA when they want to surf on the web.
To accomplish this they have to go through the Central router, then through the ASA to authenticate (ASA is doing NAT too) and then back to the Central router and then to the Internet.
Right now they are using a proxy that should be disconnected soon.
I tried with route-maps, the packet came to the ASA and then back to the Central router, but then I got a loop error (debug ip policy)
Here is a picture.
04-06-2009 11:29 PM
Hello Smail,
you need another L3 link between ASA and the router probably the router sees the PBR traffic coming back on the same interface and thinks it is a loop.
hope to help
Giuseppe
04-06-2009 11:35 PM
ASA is doing NAT so the traffic will come back with a Public IP.
I know now why it detected a loop. I tested it with GNS and I had not NAT configured. Gonna try it now.
But I don't know how the traffic will come back.
04-07-2009 02:35 AM
Hello,
First, the NAT will use a public address, which means that you can use PBR based on the source remote ip addresses.
But you need to know that only one connection to the ASA means that you are connected to the outside which is not be possible!! you have-as Giussepe sais-two connections to the ASA. One with the inside or DMZ to send arriving packets, and an outside to send back the NATted packets.
If you don't have more than on possible physical connection, you may use sub-interfaces on both router and ASA.
Hope that can help.
Regards,
Omar
04-07-2009 04:53 AM
There are two interaces on the ASA that are connected to the central router.
One has a Public IP and one a private ip (OSPF routing in enabled on that one)
I forgot that when I made a lab with GNS.
I gonna try it again later, GNS does not work well on my laptop.
So do you guys have any tips how to solve this one without a lot complications in the configuration?
04-07-2009 05:14 AM
There is no complication.
On the router, you have to steams:
-Remote->router (managed with PBR and Route-maps)
-Local(ASA)->Internet (managed with default-route)
If you need more information, you have only to ask.
Regards,
Omar
04-13-2009 03:54 AM
Hi,
the remote router send the request to the central router and it sends it obviously to ASA. I've put a route-map on the LAN interface on the remote router and a route-map on the tunnel interface on the central router. With "debug ip policy" i get the info that it is policy routed to the next hop (ASA) but it seems that it don't reach the ASA.
I used traceroute on my laptop and I get only a respond from my LAN interface and the tunnel interface on the central router.
I tested it on GNS where I used a router as the ASA. I used a route-map on this router too and this configuration worked flawless.
I tried to configure a route-map on the ASA but there is no set ip next-hop and set interface statement.
04-13-2009 03:59 AM
Right, the ASA dont do any PBR like a router. You need to connect to a DMZ and not to the Outside.
On the ASA you need only a NAT from DMZ to Outside.
Any comment ?
Regards,
Omar
04-13-2009 04:03 AM
I have only 3 interfaces on the ASA.
LAN, Internet (connected to the central router) and one "for VPN" (connected to the central router with private IP).
Don't know what to do now, I don't have any ideas.
04-13-2009 04:37 AM
I don't have any ideas how to tell the ASA to send the traffic received on the VPN interface to the outside interface. A route-map would solve this problem but it does not support it.
04-13-2009 09:51 AM
It's not a problem my friend. You can still use sub-interfaces to create more than one in only a single physical interface.
If you have a more explained schema or configuration file, I can explain you how you can do in more details.
Regards,
Omar
04-13-2009 11:17 AM
I will do it tomorrow at work.
But I don't understand what I will get using sub-interfaces on ASA.
Please explain if it is not a problem.
Thank you in advance.
04-14-2009 05:29 AM
04-15-2009 02:34 AM
Hello,
I think that you have to right configuration on the router as you are using the router-map to redirect traffic to Internet. And traffic from remote to the ASA.
Now the sub-interface connected to the ASA with private OSPF should have security level more than 0 (called remote) and the one connected with public IP address, need to be 0 as security level (called outside).
Now on the ASA you need to do NATting from (remote) to (outside). And this way you will receive traffic going to Internet from the ASA on the outside interface and the router will reroute it for the second time and now through Internet.
And now, is it clear ?? If not please, tell me where you have difficulties.
Regards,
Omar
04-15-2009 02:51 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: