Solved: Has the remote side also made

nikhilaluvila · ‎02-08-2017

Dear Team,

As i am new to the firewall terminology.

My scenario is like that we have 3 physical interfaces on firewall , Outside,Inside and Others.In the physical interface "others" we have created 3 sub interfaces.192.168.0.x,192.168.1.x,192.168.3.x.

In our case we have to give internet access to the sub interface 192.168.3.x.Currently "inside" interface have access to the "outside" which means they can access internet.

is it possible to create route for the interfaces,while trying to create route for the interfaces it states that for the same interfaces no need to create route.

I want to pass my 192.168.3.x network (which belongs to users) traffic to the "outside" interface for internet access.

Rahul Govindan · ‎02-09-2017

As long as there is a default route to the Outside interface, inside and the 192.168.3.x network should be able to route to that. A few things to make sure:

1) Sub interface for 192.168.3.x has a higher security level than outside. Otherwise you have to explicitly allow traffic between same security levels.

2) There is a NAT/PAT rule in place for the User sub-interface to reach the internet.

3) ACL on the User sub-interface allows traffic to the internet.

View solution in original post

Rahul Govindan · ‎02-09-2017

Attach a santized config to better understand your issue.

Also, the routing is based on destination address and not on source. So it does not matter if it comes from inside or 192.168.3.x subnet, if the destination is an address on the Public internet and your default route points to the outside interface, traffic will be routed there.

View solution in original post

Rahul Govindan · ‎02-09-2017

As long as there is a default route to the Outside interface, inside and the 192.168.3.x network should be able to route to that. A few things to make sure:

1) Sub interface for 192.168.3.x has a higher security level than outside. Otherwise you have to explicitly allow traffic between same security levels.

2) There is a NAT/PAT rule in place for the User sub-interface to reach the internet.

3) ACL on the User sub-interface allows traffic to the internet.

nikhilaluvila · ‎02-09-2017

Dear Rahul,

I have done all these things Rahul but didn't work for me.

I have one doubt if the traffic comes to 192.168.3.x gateway that is 192.168.3.1,how that gateway comes to know that the traffic should have route to the outside interface.

Rahul Govindan · ‎02-09-2017

Attach a santized config to better understand your issue.

Also, the routing is based on destination address and not on source. So it does not matter if it comes from inside or 192.168.3.x subnet, if the destination is an address on the Public internet and your default route points to the outside interface, traffic will be routed there.

nikhilaluvila · ‎02-10-2017

Thanks Rahul,

My issue has been resolved,i have one more issue.we have site to site connection between our office to client office.Our network is 10.120.1.X and the client network is 192.168.0.X.These two have VPN connection.we have created additional networks in the client office that is 192.168.3.X and 192.168.4.x.For getting communication to the newly created network from our office i have edited the existing network and add the newly created networks to that VPN.But didnt work for me i have created the appropriate ACL also.Could u please help me to figure this out also.

Rahul Govindan · ‎02-10-2017

Has the remote side also made changes to the VPN to include the 2 new subnets? Changes have to be made on both sides and mirrored for the VPN to work.

Also, for VPN, you probably want to exempt the traffic between your local and remote networks from NAT. Make sure you have these exemption rules in place for your new subnets too.

ASA 5510 Firewall