ASA migration; some servers reach internet through ASA, others through old firewall
We have an ASA5510 in our network, to which we are migrating from a Linux iptables/squid router. During this migration period, we'd like to have a couple of servers using the ASA to access the internet, and others to use the old Linux server. Also, we already use the ASA for AnyConnect VPN.
All servers use a 3750 switch as their default gateway; this switch has a default route to the Linux server in VLAN1. All network infrastructure devices (switches, routers) have IP addresses in VLAN1, this is where the routing happens. Now I've added the ASA to the same VLAN1. All servers are in VLAN11, to go to the internet (and the rest of the network like local clients), they go to the L3 switch, which routes them to the Linux server. The L3 switch also has a route to 172.30.10.0/24 (AnyConnect clients) via the ASA on VLAN1.
Now I wanted to have a couple of servers to reach the internet using the ASA. However, they don't need to be accessible through AnyConnect. Since our L3 switch doesn't support policy based routing (not the right IOS), we can't make a rule that says 'route IP address 172.30.1.45 to 0.0.0.0 via the ASA instead of the Linux server'. I understood this should be possible, if we'd have the advanced services IOS. So this sadly is not an option.
The other idea I had is to add VLAN11 to the ASA, and make it the default gateway for the servers that need to reach the internet through the ASA. I would then add 172.30.0.0/16 via the L3 switch as a persistant static route to the Windows server. This way it can reach internal clients through the L3 switch and access the internet through the ASA. This works great for these servers; since this is only for 2 servers at the moment, I don't mind manually adding routes to Windows.
This however, created an issue. If I want to reach any other server from one of the AnyConnect clients, the ASA sees this server is directly connected to VLAN11, and will route out of this interface. All servers in our network use the L3 switch as default gateway, which will route back to the AnyConnect client through VLAN1. The ASA will drop this packet, since it's from a non-existing TCP session; it went out on VLAN11 and came back in on VLAN1.
How can I solve this issue? I tried making it so that the L3 switch routes to the AnyConnect clients through VLAN11 instead of VLAN1. This works, but now the issue still exists for devices in other VLANs (like the switches themselves), since now they get routed to by the ASA via VLAN1, and the devices in VLAN1 get routed back via VLAN11.
I was thinking; it would be nice if I could set up the ASA so that the directly connected route to devices in VLAN11 would have an higher administrative distance, so packets for it would be routed out via VLAN1 (if I made a route via the VLAN1 L3 switch IP address), and just make a manual route for every server that does need to be accessed directly through VLAN11 (e.g. the servers that access the internet through the ASA).
Is this possible? Or are there any other options?
Ruud van Strijp
I made a small drawing to describe the VLAN/routing situation:
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...