cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
456
Views
0
Helpful
1
Replies

Is it possible??? If so, how?

jerry-kendall
Level 1
Level 1

Hi there...

I am really hoping someone can shed some light on a way to get past this issues below.

I have an ASA5512-X with ASA 8.6(1)2

For the outside, I have 2 of the NIC ports configured as 'redundant' with multiple subinterfaces, each with their own VLAN. All connected to our edge router.

For the inside, I have 2 of the NIC ports configured as 'redundant'  with multiple subinterfaces, each with their own VLAN. All connected to  our core switch.

Also, every VLAN has its own subnet.

On the inside, the VLANs are numbers based on the 3rd octet (i.e. vlan 25 is 192.168.25.0/24 and vlan 26 is 192.168.26.0/24 and so on)

On the outside, the VLANs are the same as the inside 'plus 1000' - inside vlan 25 is 1025 on the outside and

inside vlan 26 is 1026 on the outside.

There are 2 issues that I am struggling with.

One issue is routing related. I have multiple outside subnets, each has its own gateway (all point to the edge router) .

I have muiltple static routes, each pointing to 0.0.0.0/0 with a different metric.

When UDP packets go from inside vlan 25 to the internet, they go in vlan 25 and out the vlan associated with the default route and NOT out vlan 1025.

The replies come back via VLAN 1025 from the router and are denied by the firewall as the interface is different.

Does anyone have any hints on how to resolve this?

Issue number 2...

is there a way to configure the firewall such that ALL traffic from the inside vlan 25 MUST go out vlan 1025 on the outside and or course, the path being reversed for opposite dirrection traffoc?

thanks,

Jerry

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jerry,

Issue1)

That's assymetric routing, the network is not properly setup for a firewall, you have to make sure the ASA receives the packet on the same interface where it send it.

Issue 2)

The ASA does not support PBR, You cannot route traffic based on source IP addresses you could migth try some NAT statements to hack the ASA but I have not done that in a lot of time so I am not 100 % sure this is gonna work (Officialy it's not supported)

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card