ASA 5510 Routing Question

ewellsie07 · ‎10-14-2009

Basically, I want to know if this is possible with an ASA5510.

I know in my experience, I've been able to do some internal subnet routing with the ASA's, but for some reason I can't get this one to work.

Basically, I have an internal network of 192.0.0.0 that I want to have a route to another external network of 162.xx.xx.0 for which there is a router on site. Unfortunately I have no access to that router, and the owner of it will NOT change the config, period.

Currently the only way to use that router and transmit data through it is to use separate computers on a 162.xx.xx.0 subnet.

The client would like to use 192.xx.xx.0 machines to access that network, as well as the VPN users on the 172.16.0.0 network.

I have added a static route to the 162.xx.xx.0 network pointing to 162.xx.xx.1 which is the internal IP of the untouchable router.

I also added ACL entries to allow traffic between 192.0.0.0 and 162.xx.xx.0 as well as a static (inside,inside) statement for 162.xx.xx.0

What else am I missing, or is this even possible?

I know just adding an internal router into the equation is the easiest solution, but I'd like to avoid that if possible.

Diagram of network is attached.

Any ideas?

Jon Marshall · ‎10-14-2009

Eric

Could you clarify something -

The device that the ASA and the router connect into in your diagram- is that a L2 switch. If so this won't work simply because for the ASA to route between the subnets it needs an interface in both subnets and it only has an interface in the 192.0.0.0 network.

If it is L2 it looks like you are running 2 completely separate networks on the same switch. With that setup as i say, it will never work. You could look to use subinterfaces on the ASA or just another interface and give it an address from the 162.x.x.x network and then make the connection from the switch to the ASA a trunk connection. But this is assuming a lot of things.

Who controls the switch and can it be reconfigured.

What is the switch make and type ?

Jon

ewellsie07 · ‎10-14-2009

It is an HP ProCurve, not sure of the model number without having it front of me, this is a remote consulting client of our's.

What you said is right though, not sure why I didn't see it before, and I figured out why my previous internal routing configuration worked since it was a slightly different situation.

At this point, my recommendation is going to be to just drop an 1841 or similar router in there and that should make it much easier to route the traffic.

After that, it's just a matter of getting the VPN clients working.

Jon Marshall · ‎10-14-2009

Eric

An 1841 would work fine. Presumably you would connect this to the HP ProCurve and then have one interface in the 165.x.x.x network and one in the 192.0.0.0 network ?

If so be aware that the existing router may well not have a route to your 192.0.0.0 or 172.16.x.x VPN subnets so you will need to NAT all source IPs to the 165.x.x.x interface address on the 1841 as the traffic goes to the existing router.

Jon

ewellsie07 · ‎10-14-2009

Yes, that would be the expected configuration.

I had also considered what you said about the existing router configuration, so that would take some configuring as well to get both the 192 and 172 subnets talking to the 162 network, but it could be done.

This all would be much easier if we had access/ownership of the existing router, but being a police department it is a Department of Law Enforcement private network and they do not adjust their equipment configuration.