Static route by interface or destination

BenTwentyEleven — Mon, 11 Mar 2019 21:28:50 GMT

Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.

I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.

All interfaces are on the same security level of 100 except Outside which is 0.

Office 1 Interfaces ASA 5510

VLAN 1 vOffice1Data 10.40.1.0/24

VLAN 3 vOffice1Video 10.40.2.0/24

VLAN 5 vInterOffice 10.40.5.0/24 (QOS connection Between Offices)

Outside 50Mb Internet / Site to Site VPN between offices

Office 2 Interfaces ASA 5510

VLAN 2 vOffice2Data 10.40.2.0/24

VLAN 4 vOffice2Video 10.40.4.0/24

VLAN 5 vInterOffice 10.40.5.0/24 (Secure connection Between Offices)

Outside 50Mb Internet / Site to Site VPN between offices

All local VLAN’s route between themselves OK

Also the following far end routing is working OK

VLAN 1 --- VLAN 2 Both Ways via Site to Site VPN

VLAN 3 --- VLAN 4 Both Ways via E-Pipe using a static Route

VLAN 1 &,2 are used for data

VLAN 3 & 4 are used for Video Conferencing

We are adding desktop videoconferencing to our end points so we need to be able to route traffic from the local Data network destined to the far end video network via the E-Pipe. All local data VLAN’s to far end data VLAN’s should still route traffic through the VPN connection.

As an example if I had my laptop connected to VLAN 1 I should be able to access far end VLAN 2 via Site To Site VPN and also be able to access far end VLAN 4 via the E-Pipe route.

Is this possible?

At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.

Any suggestions?

Static route by interface or destination

Jon Marshall — Thu, 22 Sep 2011 18:40:49 GMT

Ben

What you really need is PBR (Policy Based Routing) which unfortunately is not supported on the ASA.

You may be able to do something with NAT but it would need testing as VOIP/videoconferencing doesn't always work with NAT.

Basically you use poilicy NAT so when traffic is sent from vlan to vlan 4 you NAT the source vlan 1 ip addresses. Then at site2 you can add a specific route for the nat subnet which would point to the QOS connection. This would mean you could still have your existing vlan 1 route at site 2 pointing to the VPN tunnel.

Jon

Static route by interface or destination

BenTwentyEleven — Sun, 25 Sep 2011 14:25:44 GMT

Hi Jon,

Thanks for your input. Unfortunately I couldn’t get your NAT solution working. Hopefully Cisco will bring out PBR on the ASA soon.

Ben

topic Static route by interface or destination in Network Security

Static route by interface or destination

Static route by interface or destination

Static route by interface or destination