Cisco ASA 5505 source routing

Unanswered Question
Dec 2nd, 2010


can I do this with asa 5505 (inside

inside I have computer (gw, which should forward all is traffic over VPN tunnel to different office to the gateway (

We had before netscreen/Juniper 5GT which was working that way.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Erik Ingeberg Thu, 12/02/2010 - 03:47

What is the subnet the host is trying to reach over VPN? Is the host directly connected to a ASA subnet? Or is there a route on the ASA to that subnet?

The normal way of acheiving the routing you want would be to add a route for the VPN subnet pointing to, but this would apply for all sources. ASA does not support policy based routing. If you have a router or L3 switch before the ASA, you could configure PBR there.

tarmo Thu, 12/02/2010 - 03:54

That host should forward all is traffic to the host (netscreen FW).

networks and are connected over VPN tunnel (working correctly).

My idea is to allow that host to go outside using different gateway.

I found something which should help me

but I did not manage to get it work.

Or if I add that host to different VLAN does it help me then? We have SEC PLUS licence.

Erik Ingeberg Thu, 12/02/2010 - 04:12

This is how I see your network (please correct me if I'm wrong). (local LAN) ----- ASA ------ Internet


                                 ------ Netscreen ----- Internet ------ Remote-VPN-Peer -----

With this I am guessing that is a DMZ network on the ASA.

Assuming is connected to a ASA interface called "dmz": then you would need to add the following route in the ASA:

route dmz

You can then add an access-list on your inside interface to permit only traffic from to

This is all based on guessing, I need more information to be able to give you a good answer.

Edited to correct mistake in post (saw wrong IP in subnet)


This Discussion

Related Content