cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
0
Helpful
2
Replies

Cisco ASA - Forwarding specific traffic to LAN router

net buzz
Level 1
Level 1

 

Hi!

There is a scenario where a Cisco ASA is connected on a LAN with hosts on the LAN having the ASA's inside interface (10.10.10.100) as default gateway.

A router (10.10.10.20) is also connected to the LAN and is not in-line with the Cisco ASA (out-of-path).

The hosts need to connect to a specific destination (192.168.1.0/24) through the router and therefore the ASA firewall should forward this specific destination traffic back on its inside interface to the router.

Please see attached the topology.

I understand that both the ASA and the router can be configured to achieve this through the use of network routes, nat, same-security-traffic permit intra-interface, ACLs, classmap, PBR,....

What is the best solution?

Regards,

 

 

2 Replies 2

Daniel Hood
Level 1
Level 1

Do you want to firewall the traffic before it gets to the router?

 

If not, you can do just a regular "route inside 192.168.1.0 255.255.255.0 10.10.10.20" and the ASA should forward this traffic to the router if it receives it on the inside interface. You need to add "same-security-traffic permit intra-interface" to get this working.

 

Not sure if you can use PBR or something like that to get it going, it'd be almost better to forward all the traffic to the router and then have the router send ICMP redirects, depends on how much traffic is flowing though.

Hi!

Thank you for the information.

What needs to be done if I want to firewall the traffic first before it gets to the router?

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: