CISCO ASA 5510 source basing routing

Dmitriy Popov · ‎12-23-2012

Hi, all!

several organizations wants to place their equipment and servers in my datacenter. They want to use the same resource - 10.3.1.5. I want to connect their servers and VPN-gates via my CISCO ASA 5510. When the organization was the only on ASA was static route "10.3.1.5 via 10.200.1.2". But now this decision doesnt work. Organization1 need to go to 10.3.1.5 via VPN-gate 10.200.1.2. Organization2 need to go to 10.3.1.5 via 10.200.2.2. I cannot connect teir servers and VPN-gates directly. I should do it via ASA 5510.

I need some thing like IOS PBR (more precisely - routing based on source address). Could you advice me how I can configure scheme in attachement on my ASA? May be it will be a kind of NAT?

Note: Also I need to give access to VPN-gates from other networks (NET 1 - NET n)

here is the network scheme https://docs.google.com/drawings/d/1twHdJRDImVcjC_cqYpAeIQuzvAJK2ym-NLylEAw-hOA/edit

jmeggers · ‎12-23-2012

PBR hasn't been supported in the past on the ASA platform, and I don't believe that's changed, nor have I heard of any plans to do so in the future. I suspect you'd have to work a router into the topology to perform that function.

John Meggers

Sent from my iPhone

hjerrold1 · ‎12-23-2012

Because this is a VPN you use an acl with source and destination address. You set peers in those crypto maps. There is no reason this wont work from what I understand. Your next hop gate way is till the same for routing correct? You are just changing the peer address.

Thanks,

Sent from my iPhone, please excuse any typos.

Alex Jerrold

Systems Engineer

CCIE# 18957

1 678 837 2335<tel:1%20678%20837%202335>

alex.jerrold@nexusis.com<mailto:alex.jerrold@nexusis.com>

www.nexusis.com<http://www.nexusis.com/>

Collaboration Data Center Borderless Networks Business Video Managed Services.

Nexus IS Inc. designs, builds and supports complete end-to-end technology solutions designed to help organizationsConnect to their customers, Collaborate to achieve their vision, and Create innovative solutions to business problems.

Dmitriy Popov · ‎12-23-2012

in this task I only need the decision to sent traffic with destination ip 10.3.1.5 from 10.255.1.1/29 via 10.200.1.2 and from 10.255.2.1/29 via 10.200.2.2

after that VPN devices spit packets out to right host

How can I solve it on ASA?

hjerrold1 · ‎12-23-2012

So the asa is not doing VPN. Then you are correct. No real way to do this on asa.

Thanks,

Sent from my iPhone, please excuse any typos.

Alex Jerrold

Systems Engineer

CCIE# 18957

1 678 837 2335<tel:1%20678%20837%202335>

alex.jerrold@nexusis.com<mailto:alex.jerrold@nexusis.com>

www.nexusis.com<http://www.nexusis.com/>

Collaboration Data Center Borderless Networks Business Video Managed Services.

Nexus IS Inc. designs, builds and supports complete end-to-end technology solutions designed to help organizationsConnect to their customers, Collaborate to achieve their vision, and Create innovative solutions to business problems.

Dmitriy Popov · ‎12-23-2012

Alex, what do you think about full NAT of 10.255.1.1 to 10.200.1.2 and 10.3.1.5 on iface Eth0/0.1 to 10.200.1.2? Can it be working decision? if all traffic from net 10.255.1.1/29 really forwarded to vpn-gate 10.200.1.2 then it will be the answer I think..

and the same actions on second organisation servers and vpn-gate...

hjerrold1 · ‎12-23-2012

Do you have a config and diagram!

Thanks,

Sent from my iPhone, please excuse any typos.

Alex Jerrold

Systems Engineer

CCIE# 18957

1 678 837 2335<tel:1%20678%20837%202335>

alex.jerrold@nexusis.com<mailto:alex.jerrold@nexusis.com>

www.nexusis.com<http://www.nexusis.com/>

Collaboration Data Center Borderless Networks Business Video Managed Services.

Nexus IS Inc. designs, builds and supports complete end-to-end technology solutions designed to help organizationsConnect to their customers, Collaborate to achieve their vision, and Create innovative solutions to business problems.