Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
5
Helpful
22
Replies

Policy-based routing problems

smailmilak83
Level 1
Level 1

‎04-15-2009 05:03 AM - edited ‎03-09-2019 10:13 PM

Please take look at this topic. The ASA firewall is making me a headache.

WAN, Routing and Switching: Policy-based routing.

Labels:
0 Helpful
22 Replies 22

smailmilak83
Level 1
Level 1
In response to andrew.prince

‎04-17-2009 03:00 AM

Well, I have not designed this network.

I think the central router is terminating VPN because of OSPF routing (tunnel interfaces with GRE)

The central router is not behind the ASA for internal. The ASA has its own internal network (HQ) and the others are all remote sited that have to go through the ASA because of authenticaion (not all users are allowed to surf on the internet)

OSPF is already encapsulated in the tunnel on remtoe site and central routers

ASA is already a gateway for the internal network (not for remote sites) ASA can't send them a defaulte route because the is the central router in between

0 Helpful

andrew.prince
Level 10
Level 10
In response to smailmilak83

‎04-17-2009 03:08 AM

OK - a simple solution would be to:-

1) Terminate the VPN on the ASA

2) Have the tunnel desintation on the central router for the remote point to the ASA

3) In the ASA configure the crypto map for the tunnel srouce & desinations of the tunnels.

4) Directly connect the ASA to the internet circuit

5) Have the central router have only 1 connection to the ASA

6) Distribute a default route in OSPF - remote users would dynamically route over the tunnel thru the IPSEC to the central router, the central router woudl route the internet traffic directly to the ASA where they can be authenticated.

HTH>

smailmilak83
Level 1
Level 1
In response to andrew.prince

‎04-17-2009 03:37 AM

Well I know that when the ASA would terminate the VPNs my problem would be solved. But I don't know if my client would like that, because that is a lot of work.

And I have one question. Does the ASA have tunnel interfaces like a router? So that I can use GRE?

0 Helpful

andrew.prince
Level 10
Level 10
In response to smailmilak83

‎04-17-2009 03:39 AM

No the ASA does not support GRE tunnels.

At the end of the day you should explain to your customer that the current topology/configuration is sub-optimal and can be improved 100%

HTH>

0 Helpful

smailmilak83
Level 1
Level 1
In response to andrew.prince

‎04-17-2009 03:45 AM

So your advice is that the ASA terminates the VPNs and that the router is there only for the internet?

There is a problem too, a Frame-Relay router is connected on the router for other remote sites! I think that I could use a subinterface on the ASA for that!

0 Helpful

andrew.prince
Level 10
Level 10
In response to smailmilak83

‎04-17-2009 03:53 AM

If you just do that - what are you going to use as a layer 3 routing device on the inside?

Possibly - or just shift all the internal routing to the device that has the frame-relay - this is the central internal router.

then the other router can just be used for internet routing, and the ASA can be the secuure device that seperates the internal to internet.

0 Helpful

smailmilak83
Level 1
Level 1
In response to andrew.prince

‎04-17-2009 03:55 AM

Well thank you. I will consult myself with my workmate.

0 Helpful

andrew.prince
Level 10
Level 10
In response to smailmilak83

‎04-17-2009 04:05 AM

np - glad to help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents