Multiple ASA'a and Multiple gateways

Unanswered Question
Aug 5th, 2010

We have a main offfice and remote office on different ISP's - both behind ASA-5510s. Main office is a 192.168.200.xxx subnet, remote office is 192.168.210.xxx. Offices were connected through a point to point vpn on the ASAs. We now have a direct layer 2 connection between the locations so we can connect without the VPN (connection will be behind the ASA's directly from switch to switch). My question is if both offices are on the same internal subnet (192.168.200.xxx) and the ASA's have different ISP's (and public addresses) will it work to set the main office systems to ASA #1 (and ISP #1) for the gateway for all internet traffic and the remote office systems to ASA #2 (and ISP #2) for their internet traffic? What I want is all WAN traffic for the main office coming and going through ASA and ISP #1 and all WAN traffic to and from the remote office coming and going through ASA and ISP #2, but all LAN traffic on the same 192.168.200.xxx subnet. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Wed, 08/18/2010 - 19:14

Hello,

If I understand your question correctly, what you describe will only work if both ASA's have an interface in the 192.168.200.xxx subnet. You won't be able to add a default gateway to your host unless it's in the same subnet. In addition, the ASA doesn't support any type of policy-based routing.

That being said, could you leave the subnets as they currently are (192.168.200.xxx and 192.168.210.xxx)? If so, I've done something very similar to this in the past. It looked like this:

Switch #1-----L2 connection------Switch #2

|                                                              |

ASA  #1-----------Internet--------------ASA #2

|                                                              |

Clients [192.168.200.xxx]      Clients [192.168.210.xxx]

In this setup, the cilents had a default gateway of the ASA at their respective site. This accomplished what it sounds like you want to do. If a client at site #1 wanted to send traffic to a client at site #2, it would travel to ASA #1, then ASA #2 via the L2 connection, and on to the destination host. Any other traffic used the ASA's default gateway of its ISP and went out through the site's Internet connection.

Hope that helps.

-Mike

Actions

This Discussion