Cisco ASA 5505 source routing

Unanswered Question
Dec 2nd, 2010

Hello

can I do this with asa 5505 (inside 192.168.1.1):

inside I have computer 192.168.1.245 (gw 192.168.1.1), which should forward all is traffic over VPN tunnel to different office to the gateway (192.168.32.1).

We had before netscreen/Juniper 5GT which was working that way.

Tarmo

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Erik Ingeberg Thu, 12/02/2010 - 03:47

What is the subnet the 192.168.1.245 host is trying to reach over VPN? Is the 192.168.32.1 host directly connected to a ASA subnet? Or is there a route on the ASA to that subnet?

The normal way of acheiving the routing you want would be to add a route for the VPN subnet pointing to 192.168.32.1, but this would apply for all sources. ASA does not support policy based routing. If you have a router or L3 switch before the ASA, you could configure PBR there.

tarmo Thu, 12/02/2010 - 03:54

That host 192.168.1.245 should forward all is traffic to the host 192.168.33.1 (netscreen FW).

networks 192.168.1.0/24 and 192.168.33.0/24 are connected over VPN tunnel (working correctly).

My idea is to allow that host to go outside using different gateway.

I found something which should help me http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_maps.html

but I did not manage to get it work.

Or if I add that host to different VLAN does it help me then? We have SEC PLUS licence.

Erik Ingeberg Thu, 12/02/2010 - 04:12

This is how I see your network (please correct me if I'm wrong).

192.168.1.0/24 (local LAN) ----- ASA ------ Internet

                                                           |

                                          192.168.32.0/24 ------ Netscreen ----- Internet ------ Remote-VPN-Peer ----- 192.168.33.0/24

With this I am guessing that 192.168.32.0/24 is a DMZ network on the ASA.

Assuming 192.168.32.0/24 is connected to a ASA interface called "dmz": then you would need to add the following route in the ASA:

route dmz 192.168.33.0 255.255.255.0 192.168.32.1

You can then add an access-list on your inside interface to permit only traffic from 192.168.1.254 to 192.168.33.0/24.

This is all based on guessing, I need more information to be able to give you a good answer.

Edited to correct mistake in post (saw wrong IP in subnet)

Actions

Login or Register to take actions

This Discussion

Posted December 2, 2010 at 1:23 AM
Stats:
Replies:3 Avg. Rating:
Views:1636 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446