06-13-2011 03:57 PM - edited 03-11-2019 01:44 PM
Hi,
We have the scenario attached in this post, where we have the same subnet (172.21.0.0/16) behind our DMZ and our management interfaces on our Cisco ASA.
Supposing we can’t modify our subnets, and we want to use source routing on the ASA as below:
Can you please propose a solution to this problem on ASA (any workaround, any possible alternative configuration).
Thanks in advance.
06-13-2011 06:48 PM
Hey,
What you are trying to do is called PBR which is not supported on the ASA firewall. The stateful algorithm of it wouldnt allow it to effectively track the TCP sessions, so that could lead to an insecure environment, here is a better explanation:
A. Unfortunately, there is no way to do policy-based routing on the ASA at this time. It can be a feature that is added to the ASA in the future.
Note: The route-map command is used to redistribute routes between routing protocols, such as OSPF and RIP, with the use of metrics and not to policy route regular traffic as in routers.
This is the document:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml
Hope it helps
Mike
PS, I could not make the font smaller, sorry about that.
06-13-2011 06:53 PM
firstly you wont be able to perform any source based routing on asa
so the alternative is that you have a network static nat for one of the network for example
nat network behind any one interface to another network x.x.x.0 and ask users to connect to x.x.x.0 network
if even this does not work then i guess put a router behind asa and do source based routing on that
outside------asa-----------router------------------management
|------------------ DMZ
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: