L3 sitch is connected to firewall and firewall is connected to router
on l3 network 10.0.0.0/24
and default route is to firewall
from firewall default route is ROUTE OUTSIDE 0.0.0.0 0.0.0.0 202.x.x.x(router)
I have another router my requirement is i want 172.16.0.0 /24 data should go through this router(124.x.x.x)
iF I GIVE THE ROUTE ROUTE OUTSIDE 172.16.X.X 255.255.255.0 124.X.X.X ON FIREWALL THUS IT WORK
First of all you must keep in mind that the traditional routing is made using destination address.
So taking this into consideration your firewall will make the routing decisions based on destination.
As an short answer : no will not work.
The solution is PBR , but sadly I do not think this feature is supported on ASA.
If i use another interface of firewall name it as outside1
than route the traffic route outside1 172.16.x.x 255.255.0.0 124.x.x.x
will it work? is there any other solution ?
My understanding regarding your setup is :
L3 switch ------- ASA -------- ROUTER
172.16.0.0/24 is connected to the L3 switch.
Is that correct ?
As I see it , and taking into consideration that ASA does not suport PBR, the solution must involve PBR but on other equipments :
1) after the firewall - on the router - this involves connecting the second router to the first router and also access to the routers in order to configure PBR
2) before the firewall - on the L3 switch - this involves creating 2 contexts on the firewall 1 for the first connection (router) , and the second for the second connection (router), and also PBR on the L3 switch in order to route the traffic coming from 172.16.0.0/24 to the second router/connection.
The 2nd fits you better, because I do not think that you have access to the routers.
L3 switch ----access ---- ASA ------ trunk ----- L2 switch ---- access vlan 2 ---- old router
|-------------access vlan 3--------- new router
=> L2 switch - you should create a separated vlan for the second connection.
L2 switch : let's consider vlans : 2 old router vlan
3 new router vlan
ASA : interfaces E0 (inside) , E1 (outside)
Phisical : interface E1 , should be configured with subinterfaces
E1.2 ----> old router vlan
E1.3 ----> new router vlan
context ONE : interface E0 - inside -
interface E1.2 - outside - 202.x.x.x address
default route to the old router - 202.x.x.x
specific routes to the L3 switch - 172.16.0.0/24 , 10.0.0.0/24
context TWO : interface E0 - inside -
interface E1.3 - outside - 124.x.x.x address
default route to the new router 124.x.x.x
specific routes to the L3 switch 172.16.0.0/24 , 10.0.0.0/24
=> L3 Switch
default route to the IP of the ASA Context ONE
PBR for the traffic sourced 172.16.0.0/24 next-hop the IP of the ASA Context TWO.
THanks very much.
One last question i think it will we better if i another interface on firewall .and name it as outside1
And than route the traffic for that partcular valn through that outside1 interface.
Thus it work ?
No will not work for what you want to achieve.
Why ? When you configure the route on the ASA as you first posted :
ROUTE OUTSIDE1 172.16.X.X 255.255.255.0 124.X.X.X
You will instruct the ASA to route all the traffic GOING ( this means having the destination ) to 172.16.0.0/24 to the OUTSIDE1 interface.This will never happen, because the 172.16.0.0 is on the L3 switch.
So you will need to source route - meaning that you will need to route not after destination but after source ( using Policy Based Routing ) , in order to route the traffic sourced by 172.16.0.0/24 to the second router.
I am confused.
from l3 there is dfault route to firewaall.
and from firewall there is default route to router.
now from l3 all the traffic will first reach firewall .
on firewall ther are two outside interface otside 1 and outside
for outside 1 i will provide ip as in same range of 124.x.x.x
so for 172.16.x.x i will route as route inside 172.16.x.x 255.255.255.0 172.16.x.1(vlan ip created on l3 as svi)
route outside1 172.16..x.x 255.255.255.0 124.x.x.x(ip of secound router)
so it will work or not.
"route outside1 172.16..x.x 255.255.255.0 124.x.x.x"
this command tells the equipment where is the 172.16.x.x 255.255.255.0. Not where to send the traffic for that prefix.
So you are telling the ASA that the 172.16.x.x 255.255.255.0 is located on the outside1 interface.
To answer your question : no , will not work
You are right
So now if i want to route 172.16.x.x traffic to outside 1 interface .how can i make it possible.
i do not want to nat this traffic...
My requirement is like
i want to use router 1(bgp is runing) for internet.
and i want to use router 2(bgp is runing) for many site to site vpn.
i have a apnic range that i want to use in both router 1 and 2
Now requirement is like i want to use firewall in any case (for security reason all traffic router 1 and router should go through firewall))
Now i want to make a site to site vpn with this 172.16.x.x lan on router 2.
Thats why i am asking how to route 172.16.x.x range to router 2 on firewall.
please find the attahment
Long time no see..
As you know the ASA does not support PBR and can have only one default route on on its routing table..
So what I would like to know if its the both routers and the ASA are on the same broadcast domain???
If they are you could configure a default route pointing ro R1 and then create a route pointing to R2 with the subnet network on the other side of the VPN tunnel.
That should do it!!
DO rate all the helpful posts
Thanks for your concern
Firewall ,router 1 and router 2 are in same broadcast domain
Please share an example regarding your suggestion
It looks really simple to me unless I am not understanding this.
You want to send all traffic to the x.x.x.x. (vpn destination) subnet to router 2 and all the internet traffic to router 1 so all you need on the ASA
is a nat 0 ACL for the traffic going to the vpn subnet and the regular nat and global for the internet
Then for the routes you need
route outside 0 0 R1_Ip
route outside x.x.x.x x.x.x.x.x R2_IP
DO Rate all the helpful posts
Thanks for reply
My exact requirement like this
on router 2 site to site vpn is created..
Now on l3 we have many VLANs
from l3 there is default is to firewall .
now from firewall there is default route to router 1 say 0.0.0.0.0 0.0.0.0 203.x.x.x
Out ot that vlan we have one vlan say such as 172.16.x.x.
for 172.16 .x.x site to site vpn is created on router 2
as we know pbr is not supported on asa we cannot send 172.16 traffic to router 2
Now just assume the far end peer ip of vpn created is 101.x.x.x
so for that vpn if i give the route as on asa such as route outside 101..x.x.x 255.255.255.255 203.x.x.100
so route mentioned above thus it work
That is correct.
DO rate all the helpful posts
Glad to hear that is working now. Please mark the question as answered so future users can learn from this.
Now regarding the document, hmm no that I am aware I have not see a document with that info,
DO rate all the helpful posts