topic CISCO ASA 5510 source basing routing in Network Security

CISCO ASA 5510 source basing routing

Dmitriy Popov — Sun, 23 Dec 2012 17:10:52 GMT

Hi, all!

several organizations wants to place their equipment and servers in my datacenter. They want to use the same resource - 10.3.1.5. I want to connect their servers and VPN-gates via my CISCO ASA 5510. When the organization was the only on ASA was static route "10.3.1.5 via 10.200.1.2". But now this decision doesnt work. Organization1 need to go to 10.3.1.5 via VPN-gate 10.200.1.2. Organization2 need to go to 10.3.1.5 via 10.200.2.2. I cannot connect teir servers and VPN-gates directly. I should do it via ASA 5510.

I need some thing like IOS PBR (more precisely - routing based on source address). Could you advice me how I can configure scheme in attachement on my ASA? May be it will be a kind of NAT?

Note: Also I need to give access to VPN-gates from other networks (NET 1 - NET n)

here is the network scheme https://docs.google.com/drawings/d/1twHdJRDImVcjC_cqYpAeIQuzvAJK2ym-NLylEAw-hOA/edit

Re: CISCO ASA 5510 source basing routing

jmeggers — Sun, 23 Dec 2012 19:47:38 GMT

PBR hasn't been supported in the past on the ASA platform, and I don't believe that's changed, nor have I heard of any plans to do so in the future. I suspect you'd have to work a router into the topology to perform that function.

John Meggers

Sent from my iPhone

Re: CISCO ASA 5510 source basing routing

hjerrold1 — Sun, 23 Dec 2012 20:18:14 GMT

Because this is a VPN you use an acl with source and destination address. You set peers in those crypto maps. There is no reason this wont work from what I understand. Your next hop gate way is till the same for routing correct? You are just changing the peer address.

Thanks,

Sent from my iPhone, please excuse any typos.

Alex Jerrold

Systems Engineer

CCIE# 18957

1 678 837 2335<tel:1%20678%20837%202335>

alex.jerrold@nexusis.com<mailto:alex.jerrold@nexusis.com>

www.nexusis.com<http://www.nexusis.com/>

Collaboration Data Center Borderless Networks Business Video Managed Services.

Nexus IS Inc. designs, builds and supports complete end-to-end technology solutions designed to help organizationsConnect to their customers, Collaborate to achieve their vision, and Create innovative solutions to business problems.

Re: CISCO ASA 5510 source basing routing

Dmitriy Popov — Sun, 23 Dec 2012 22:51:33 GMT

in this task I only need the decision to sent traffic with destination ip 10.3.1.5 from 10.255.1.1/29 via 10.200.1.2 and from 10.255.2.1/29 via 10.200.2.2

after that VPN devices spit packets out to right host

How can I solve it on ASA?

Re: CISCO ASA 5510 source basing routing

hjerrold1 — Sun, 23 Dec 2012 23:51:51 GMT

So the asa is not doing VPN. Then you are correct. No real way to do this on asa.

Thanks,

Sent from my iPhone, please excuse any typos.

Alex Jerrold

Systems Engineer

CCIE# 18957

1 678 837 2335<tel:1%20678%20837%202335>

alex.jerrold@nexusis.com<mailto:alex.jerrold@nexusis.com>

www.nexusis.com<http://www.nexusis.com/>

Collaboration Data Center Borderless Networks Business Video Managed Services.

Re: CISCO ASA 5510 source basing routing

Dmitriy Popov — Mon, 24 Dec 2012 00:00:15 GMT

Alex, what do you think about full NAT of 10.255.1.1 to 10.200.1.2 and 10.3.1.5 on iface Eth0/0.1 to 10.200.1.2? Can it be working decision? if all traffic from net 10.255.1.1/29 really forwarded to vpn-gate 10.200.1.2 then it will be the answer I think..

and the same actions on second organisation servers and vpn-gate...

Re: CISCO ASA 5510 source basing routing

hjerrold1 — Mon, 24 Dec 2012 00:29:39 GMT

Do you have a config and diagram!

Thanks,

Sent from my iPhone, please excuse any typos.

Alex Jerrold

Systems Engineer

CCIE# 18957

1 678 837 2335<tel:1%20678%20837%202335>

alex.jerrold@nexusis.com<mailto:alex.jerrold@nexusis.com>

www.nexusis.com<http://www.nexusis.com/>

Collaboration Data Center Borderless Networks Business Video Managed Services.