We have on one side an administrative net (192.168.2.0/24), that have to reach hosts in some different VLAN's (192.168.26.0/24 and 192.168.8.0/24 for example) through a vpn tunnel. The problem is, that the default GW from the hosts in the VLAN's is not the same ASA like the endpoint from the tunnel.
I attach a pic, where explain the situation (hopefully).
On the ASA with the IP 192.168.8.2/192.168.26.2 i set a route:
Does seem like a little problematic setup especially when talking about having 2 ASA firewalls.
So if I understood correctly the ASA at ISP2 is the default gateway for the LAN networks between the 2 ASAs and this causes problem with traffic forwarding.
One option would I guess be that you specifically route the network 192.168.2.0/24 on the actual servers towards the ISP1 ASA while the default route would still be pointing towards the ISP2 ASA. If there is need to do this for several hosts or whole network then naturally its not a very desirable setup.
If you were to do this on the ISP2 ASA with the routes you mention then the routes would not be enough to pull this off.
The first problem with the above apply of routes is that you use the same/default metric. The other one has to have a worse metric. Naturally this also means that as long as ASA looks at its routing table it will forward the traffic destined to that destination network always using the route with better metric.
What you would have to do (if I am correct) is to use NAT to make the traffic take an U-turn on the Vlan20 and Vlan260 interfaces on the ISP2 ASA. The NAT will essentially first cause the ASA to choose the correct interface to forward the traffic out off while the route (even with worse metric) will then handle the forwarding of traffic towards the desired gateway.
So it would seem to me that ISP2 ASA needs atleast the following configurations
First command (if not issued yet) enables traffic to enter and leave the same interface
Route commands with different metrics to same destination networks using different interfaces/gateways
NAT configurations, each of which tell the ASA that when traffic is coming from the VLANX towards REMOTE then the outgoing/egress interface should be the same interface where the traffic entered.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...