I am trying to configure static routes on ASA. The N/w diagram is:
RTR1 -- ASA -- NetVX -- Switch
This is the design, the ASA also has a different internet connection. This is just the voice traffic.
RTR1 - 172.10.x.x - inside int and outside int is connected to the internet
NetVX - 172.21.x.x- outside ip address conneted to ASA
ASA - inside(connected to netVX) - 172.21.x.x
ASA - outside (connected to router) - 172.10.x.x
dont have to worry about NETVX sending traffic to internal n/w.
I have to route the traffic from NETVX to RTR1 over ASA. Also NETVX has to know the external routes which are on RTR1 which would be 123.x.x.x. Also open voice ports between these two thru ASA.
Do i need to do any static routes or since they are directly connected, i dont need to.
also for external routes on RTR1, i was thinking to have - route RTR1 123.x.x.x 255.x.x.x 172.10.x.x
Any help would be really appreciated..
3. Access list is correct, but for netvx you would need to apply it in the "in" direction, not "out":
access-group netvx in interface netvx
As far as the ASA is concern, they are directly connected. But as far as the RTR1 and NetVX is concern, they are not directly connected. On the ASA, you do not need any other static routes.
1. Where is the ASA default gateway point to? If the ASA default route points to RTR1, then you do not need static routes on the ASA for the RTR1 external routes. If the ASA default route does not point to RTR1, then yes, you would need to configure those external routes static routes on the ASA to point to RTR1 on the ASA.
2. yes, you will need NAT exemption. You can configure static NAT to itself. What version of ASA are you running?
3. Which VOIP protocols are you using? SIP? H323? Skinny? I would allow IP between the subnet/host that you need to start with, and then restrict it further once you have it working. This is to ensure that routing and NAT works fine, and you can concentrate on the access-list after everything works fine.
A few things to consider with ASA:
1) Assuming that inside has security level 100 (or higher) than outside, and you don't want to NAT the traffic, you would need to configure NAT exemption (nonat with ACL) or static NAT to itself:
static (inside,outside) 172.21.0.0 172.21.0.0 netmask 255.255.0.0
2) If you need to allow traffic from outside to inside, then you would need to configure access-list and apply that on the outside interface.
3) If you don't NAT, then you would need static route on NetVX to reach the RTR1 network, unless if the default gateway is the ASA inside interface. So is the RTR1, if you oneed to access the netVX network, you would need static route for the netVX network on the RTR1 to point to the ASA outside interface IP.