Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3002
Views
0
Helpful
3
Replies

Cisco ASA 5505 source routing

tarmo
Level 1
Level 1

‎12-02-2010 01:23 AM - edited ‎03-11-2019 12:17 PM

Hello

can I do this with asa 5505 (inside 192.168.1.1):

inside I have computer 192.168.1.245 (gw 192.168.1.1), which should forward all is traffic over VPN tunnel to different office to the gateway (192.168.32.1).

We had before netscreen/Juniper 5GT which was working that way.

Tarmo

Labels:
0 Helpful
3 Replies 3

Erik Ingeberg
Level 1
Level 1

‎12-02-2010 03:47 AM

What is the subnet the 192.168.1.245 host is trying to reach over VPN? Is the 192.168.32.1 host directly connected to a ASA subnet? Or is there a route on the ASA to that subnet?

The normal way of acheiving the routing you want would be to add a route for the VPN subnet pointing to 192.168.32.1, but this would apply for all sources. ASA does not support policy based routing. If you have a router or L3 switch before the ASA, you could configure PBR there.

0 Helpful

tarmo
Level 1
Level 1
In response to Erik Ingeberg

‎12-02-2010 03:54 AM

That host 192.168.1.245 should forward all is traffic to the host 192.168.33.1 (netscreen FW).

networks 192.168.1.0/24 and 192.168.33.0/24 are connected over VPN tunnel (working correctly).

My idea is to allow that host to go outside using different gateway.

I found something which should help me http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_maps.html

but I did not manage to get it work.

Or if I add that host to different VLAN does it help me then? We have SEC PLUS licence.

0 Helpful

Erik Ingeberg
Level 1
Level 1
In response to tarmo

‎12-02-2010 04:12 AM

This is how I see your network (please correct me if I'm wrong).

192.168.1.0/24 (local LAN) ----- ASA ------ Internet

                                                           |

                                          192.168.32.0/24 ------ Netscreen ----- Internet ------ Remote-VPN-Peer ----- 192.168.33.0/24

With this I am guessing that 192.168.32.0/24 is a DMZ network on the ASA.

Assuming 192.168.32.0/24 is connected to a ASA interface called "dmz": then you would need to add the following route in the ASA:

route dmz 192.168.33.0 255.255.255.0 192.168.32.1

You can then add an access-list on your inside interface to permit only traffic from 192.168.1.254 to 192.168.33.0/24.

This is all based on guessing, I need more information to be able to give you a good answer.

Edited to correct mistake in post (saw wrong IP in subnet)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card