Cisco ASA 5505 source routing

Unanswered Question
Dec 2nd, 2010
User Badges:

Hello


can I do this with asa 5505 (inside 192.168.1.1):

inside I have computer 192.168.1.245 (gw 192.168.1.1), which should forward all is traffic over VPN tunnel to different office to the gateway (192.168.32.1).


We had before netscreen/Juniper 5GT which was working that way.


Tarmo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Erik Ingeberg Thu, 12/02/2010 - 03:47
User Badges:

What is the subnet the 192.168.1.245 host is trying to reach over VPN? Is the 192.168.32.1 host directly connected to a ASA subnet? Or is there a route on the ASA to that subnet?


The normal way of acheiving the routing you want would be to add a route for the VPN subnet pointing to 192.168.32.1, but this would apply for all sources. ASA does not support policy based routing. If you have a router or L3 switch before the ASA, you could configure PBR there.

tarmo Thu, 12/02/2010 - 03:54
User Badges:

That host 192.168.1.245 should forward all is traffic to the host 192.168.33.1 (netscreen FW).

networks 192.168.1.0/24 and 192.168.33.0/24 are connected over VPN tunnel (working correctly).


My idea is to allow that host to go outside using different gateway.


I found something which should help me http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_maps.html

but I did not manage to get it work.


Or if I add that host to different VLAN does it help me then? We have SEC PLUS licence.

Erik Ingeberg Thu, 12/02/2010 - 04:12
User Badges:

This is how I see your network (please correct me if I'm wrong).


192.168.1.0/24 (local LAN) ----- ASA ------ Internet

                                                           |

                                          192.168.32.0/24 ------ Netscreen ----- Internet ------ Remote-VPN-Peer ----- 192.168.33.0/24


With this I am guessing that 192.168.32.0/24 is a DMZ network on the ASA.


Assuming 192.168.32.0/24 is connected to a ASA interface called "dmz": then you would need to add the following route in the ASA:


route dmz 192.168.33.0 255.255.255.0 192.168.32.1


You can then add an access-list on your inside interface to permit only traffic from 192.168.1.254 to 192.168.33.0/24.


This is all based on guessing, I need more information to be able to give you a good answer.


Edited to correct mistake in post (saw wrong IP in subnet)

Actions

This Discussion

Related Content