Some Typical Policy Based Routing problem can be solved using Policy Based NAT. All the features for PBR you get in router is not available in ASA.
Still, Could you post your exact requirement.
It is explained in my first post.
The central router routes the traffic to ASA and there it just stops.
Don't know if the ASA is droping the packets or similar. I don't have any experience with it.
The ASA may be dropping packets that it does not know how to pass onto the next layer 3 routing device, check the config and the layer 3 connectivity at the remote end.
But the Central router sends the request (sourced from the remote site) with a source and destination address.
I really don't know whay the ASA does not forward it on the outside interface.
if the traffic from the remote site enters the outside interface of the ASA over a VPN the ASA will not specifically pass it out the outside interface and NAT it without specific config, is this what you are tyring to do?
post your config's for review.
The traffic comes on an inside interface (security 50, OSPF routing). The ASA is connected with 2 interfaces with the central router. One for OSPF routing between sites (private IP) and one for internet (Public IP, ASA is doing NAT)
And there is an inside interface with SEC 0 and that is not important.
You can find a topology and config file in my posts.
None of your posts have any attachements.
Is the ASA taking part in the OSPF routing?
Are you performing any NAT between the intside and the central router interface?
There are attachments. Like I said in my first post, I made a topic in:
WAN, Routing and Switching: Policy-based routing.
It is all explained there.
I have read the post - and seen the updated diagram, I have a few questions:-
1) Why is the VPN terminated on the central router?
2) Why is the central router in front of the ASA for the internet, and beihind the ASA for internal
3) If you havea tunnel, then you should not really need PBR - as you can encapsulate OSPF into the tunnel
4) The ASA could redistribute the default route in OSPF on the internal private IP's.
Well, I have not designed this network.
I think the central router is terminating VPN because of OSPF routing (tunnel interfaces with GRE)
The central router is not behind the ASA for internal. The ASA has its own internal network (HQ) and the others are all remote sited that have to go through the ASA because of authenticaion (not all users are allowed to surf on the internet)
OSPF is already encapsulated in the tunnel on remtoe site and central routers
ASA is already a gateway for the internal network (not for remote sites) ASA can't send them a defaulte route because the is the central router in between
OK - a simple solution would be to:-
1) Terminate the VPN on the ASA
2) Have the tunnel desintation on the central router for the remote point to the ASA
3) In the ASA configure the crypto map for the tunnel srouce & desinations of the tunnels.
4) Directly connect the ASA to the internet circuit
5) Have the central router have only 1 connection to the ASA
6) Distribute a default route in OSPF - remote users would dynamically route over the tunnel thru the IPSEC to the central router, the central router woudl route the internet traffic directly to the ASA where they can be authenticated.
Well I know that when the ASA would terminate the VPNs my problem would be solved. But I don't know if my client would like that, because that is a lot of work.
And I have one question. Does the ASA have tunnel interfaces like a router? So that I can use GRE?
No the ASA does not support GRE tunnels.
At the end of the day you should explain to your customer that the current topology/configuration is sub-optimal and can be improved 100%
So your advice is that the ASA terminates the VPNs and that the router is there only for the internet?
There is a problem too, a Frame-Relay router is connected on the router for other remote sites! I think that I could use a subinterface on the ASA for that!
If you just do that - what are you going to use as a layer 3 routing device on the inside?
Possibly - or just shift all the internal routing to the device that has the frame-relay - this is the central internal router.
then the other router can just be used for internet routing, and the ASA can be the secuure device that seperates the internal to internet.