cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2786
Views
0
Helpful
3
Replies

Cisco ASA 5505 source routing

tarmo
Level 1
Level 1

Hello

can I do this with asa 5505 (inside 192.168.1.1):

inside I have computer 192.168.1.245 (gw 192.168.1.1), which should forward all is traffic over VPN tunnel to different office to the gateway (192.168.32.1).

We had before netscreen/Juniper 5GT which was working that way.

Tarmo

3 Replies 3

Erik Ingeberg
Level 1
Level 1

What is the subnet the 192.168.1.245 host is trying to reach over VPN? Is the 192.168.32.1 host directly connected to a ASA subnet? Or is there a route on the ASA to that subnet?

The normal way of acheiving the routing you want would be to add a route for the VPN subnet pointing to 192.168.32.1, but this would apply for all sources. ASA does not support policy based routing. If you have a router or L3 switch before the ASA, you could configure PBR there.

That host 192.168.1.245 should forward all is traffic to the host 192.168.33.1 (netscreen FW).

networks 192.168.1.0/24 and 192.168.33.0/24 are connected over VPN tunnel (working correctly).

My idea is to allow that host to go outside using different gateway.

I found something which should help me http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_maps.html

but I did not manage to get it work.

Or if I add that host to different VLAN does it help me then? We have SEC PLUS licence.

This is how I see your network (please correct me if I'm wrong).

192.168.1.0/24 (local LAN) ----- ASA ------ Internet

                                                           |

                                          192.168.32.0/24 ------ Netscreen ----- Internet ------ Remote-VPN-Peer ----- 192.168.33.0/24

With this I am guessing that 192.168.32.0/24 is a DMZ network on the ASA.

Assuming 192.168.32.0/24 is connected to a ASA interface called "dmz": then you would need to add the following route in the ASA:

route dmz 192.168.33.0 255.255.255.0 192.168.32.1

You can then add an access-list on your inside interface to permit only traffic from 192.168.1.254 to 192.168.33.0/24.

This is all based on guessing, I need more information to be able to give you a good answer.

Edited to correct mistake in post (saw wrong IP in subnet)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: