ā04-13-2012 01:02 AM - edited ā03-11-2019 03:53 PM
L3 sitch is connected to firewall and firewall is connected to router
on l3 network 10.0.0.0/24
172.16.0.0/24
and default route is to firewall
from firewall default route is ROUTE OUTSIDE 0.0.0.0 0.0.0.0 202.x.x.x(router)
I have another router my requirement is i want 172.16.0.0 /24 data should go through this router(124.x.x.x)
iF I GIVE THE ROUTE ROUTE OUTSIDE 172.16.X.X 255.255.255.0 124.X.X.X ON FIREWALL THUS IT WORK
ā04-13-2012 01:17 AM
Kumar,
First of all you must keep in mind that the traditional routing is made using destination address.
So taking this into consideration your firewall will make the routing decisions based on destination.
As an short answer : no will not work.
The solution is PBR , but sadly I do not think this feature is supported on ASA.
Regards
Dan
ā04-13-2012 01:41 AM
Thanks
If i use another interface of firewall name it as outside1
than route the traffic route outside1 172.16.x.x 255.255.0.0 124.x.x.x
will it work? is there any other solution ?
ā04-13-2012 01:46 AM
My understanding regarding your setup is :
L3 switch ------- ASA -------- ROUTER
172.16.0.0/24 is connected to the L3 switch.
Is that correct ?
Regards
Dan
ā04-13-2012 01:48 AM
l3--asa--l2switch --router
all theports of l2 switch are in same vlan
ā04-13-2012 01:49 AM
And where is connected the 172.16.0.0/24 network ?
Dan
ā04-13-2012 02:42 AM
on l3 switch
ā04-13-2012 02:52 AM
Ok.
As I see it , and taking into consideration that ASA does not suport PBR, the solution must involve PBR but on other equipments :
1) after the firewall - on the router - this involves connecting the second router to the first router and also access to the routers in order to configure PBR
2) before the firewall - on the L3 switch - this involves creating 2 contexts on the firewall 1 for the first connection (router) , and the second for the second connection (router), and also PBR on the L3 switch in order to route the traffic coming from 172.16.0.0/24 to the second router/connection.
The 2nd fits you better, because I do not think that you have access to the routers.
Regards
Dan
ā04-13-2012 02:56 AM
Thanks
Regarding 2 solution can u give rough idea regarding scenario or any doc.
ā04-13-2012 03:17 AM
L3 switch ----access ---- ASA ------ trunk ----- L2 switch ---- access vlan 2 ---- old router
|-------------access vlan 3--------- new router
=> L2 switch - you should create a separated vlan for the second connection.
L2 switch : let's consider vlans : 2 old router vlan
3 new router vlan
=> ASA
ASA : interfaces E0 (inside) , E1 (outside)
Phisical : interface E1 , should be configured with subinterfaces
E1.2 ----> old router vlan
E1.3 ----> new router vlan
context ONE : interface E0 - inside -
interface E1.2 - outside - 202.x.x.x address
default route to the old router - 202.x.x.x
specific routes to the L3 switch - 172.16.0.0/24 , 10.0.0.0/24
-------------------------------------------------------------------------------
context TWO : interface E0 - inside -
interface E1.3 - outside - 124.x.x.x address
default route to the new router 124.x.x.x
specific routes to the L3 switch 172.16.0.0/24 , 10.0.0.0/24
=> L3 Switch
default route to the IP of the ASA Context ONE
PBR for the traffic sourced 172.16.0.0/24 next-hop the IP of the ASA Context TWO.
Dan
ā04-13-2012 03:45 AM
THanks very much.
One last question i think it will we better if i another interface on firewall .and name it as outside1
And than route the traffic for that partcular valn through that outside1 interface.
Thus it work ?
ā04-13-2012 04:00 AM
No will not work for what you want to achieve.
Why ? When you configure the route on the ASA as you first posted :
ROUTE OUTSIDE1 172.16.X.X 255.255.255.0 124.X.X.X
You will instruct the ASA to route all the traffic GOING ( this means having the destination ) to 172.16.0.0/24 to the OUTSIDE1 interface.This will never happen, because the 172.16.0.0 is on the L3 switch.
So you will need to source route - meaning that you will need to route not after destination but after source ( using Policy Based Routing ) , in order to route the traffic sourced by 172.16.0.0/24 to the second router.
Regards
Dan
ā04-13-2012 04:24 AM
I am confused.
from l3 there is dfault route to firewaall.
and from firewall there is default route to router.
now from l3 all the traffic will first reach firewall .
on firewall ther are two outside interface otside 1 and outside
for outside 1 i will provide ip as in same range of 124.x.x.x
so for 172.16.x.x i will route as route inside 172.16.x.x 255.255.255.0 172.16.x.1(vlan ip created on l3 as svi)
on firewall
route outside1 172.16..x.x 255.255.255.0 124.x.x.x(ip of secound router)
so it will work or not.
ā04-13-2012 04:52 AM
"route outside1 172.16..x.x 255.255.255.0 124.x.x.x"
this command tells the equipment where is the 172.16.x.x 255.255.255.0. Not where to send the traffic for that prefix.
So you are telling the ASA that the 172.16.x.x 255.255.255.0 is located on the outside1 interface.
To answer your question : no , will not work
Regards
Dan
ā04-13-2012 07:33 AM
Hi,
You are right
So now if i want to route 172.16.x.x traffic to outside 1 interface .how can i make it possible.
i do not want to nat this traffic...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide