Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5505 source routing

Hello

can I do this with asa 5505 (inside 192.168.1.1):

inside I have computer 192.168.1.245 (gw 192.168.1.1), which should forward all is traffic over VPN tunnel to different office to the gateway (192.168.32.1).

We had before netscreen/Juniper 5GT which was working that way.

Tarmo

3 REPLIES
New Member

Re: Cisco ASA 5505 source routing

What is the subnet the 192.168.1.245 host is trying to reach over VPN? Is the 192.168.32.1 host directly connected to a ASA subnet? Or is there a route on the ASA to that subnet?

The normal way of acheiving the routing you want would be to add a route for the VPN subnet pointing to 192.168.32.1, but this would apply for all sources. ASA does not support policy based routing. If you have a router or L3 switch before the ASA, you could configure PBR there.

New Member

Re: Cisco ASA 5505 source routing

That host 192.168.1.245 should forward all is traffic to the host 192.168.33.1 (netscreen FW).

networks 192.168.1.0/24 and 192.168.33.0/24 are connected over VPN tunnel (working correctly).

My idea is to allow that host to go outside using different gateway.

I found something which should help me http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_maps.html

but I did not manage to get it work.

Or if I add that host to different VLAN does it help me then? We have SEC PLUS licence.

New Member

Re: Cisco ASA 5505 source routing

This is how I see your network (please correct me if I'm wrong).

192.168.1.0/24 (local LAN) ----- ASA ------ Internet

                                                           |

                                          192.168.32.0/24 ------ Netscreen ----- Internet ------ Remote-VPN-Peer ----- 192.168.33.0/24

With this I am guessing that 192.168.32.0/24 is a DMZ network on the ASA.

Assuming 192.168.32.0/24 is connected to a ASA interface called "dmz": then you would need to add the following route in the ASA:

route dmz 192.168.33.0 255.255.255.0 192.168.32.1

You can then add an access-list on your inside interface to permit only traffic from 192.168.1.254 to 192.168.33.0/24.

This is all based on guessing, I need more information to be able to give you a good answer.

Edited to correct mistake in post (saw wrong IP in subnet)

2177
Views
0
Helpful
3
Replies