cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1561
Views
0
Helpful
12
Replies

Routing to different routes instead of default gateway

chenbc
Level 1
Level 1

Hello All,

We have ASA5510 as a NAT server, and it works correctly on NAT for inside computers.

But for some concern, we want these inside hosts connecting to some outside network hosts with a different route.

i.e.:

inside_hosts  --------->  Internet

           |

           --------------------> The other router (the same subnet as inside_hosts) -----------> Some hosts on internet

We have added a static route to the other router in order to connect these hosts, but doesn't work.

Is there any way to achieve this on ASA?

Thanks all a lot

12 Replies 12

apothula
Level 1
Level 1

Hi Steve,

I guess you could do some policy based NAT to get this thing working.

Please refer to the following document for more details,

https://supportforums.cisco.com/docs/DOC-1692.

Here we talk about Policy NAT for VPN traffic. In our scenario in the ACL used for Policy NAT, we have to have an ACL that classifies traffic going to the remote servers.

Let me know if you have further queries.


Cheers,

Nash.

apothula
Level 1
Level 1

May be i am not getting this properly. Could you please provide us a better topology diagram with Labelled devices.

Cheers,


Nash.

Hello,

The diagram is shown below:

                             NAT

ASA5510 -------------------------->   Internet    (Way 1)

(10.1.1.a)                |

                                 |

                                 --------------->  RouterA (10.1.1.z)   --------------> Host B (y.y.y.y) (On Internet)   (Way 2)

where ASA5510 use 10.1.1.x as default gateway on inside (10.1.1.0) network

Here the way 1 works correctly, but we want to make way 2 work without influencing way 1.

How to achieve this?

How is Router A connected to the ASA ? Via the Inside interface or the Outside Interface or any other interface for that matter.

Cheers,

Nash.

Hello,

Via inside interface,

Both ASA5510 and routerA in the same subnet (10.1.1.x)

According to the configuration you added, all internet traffic would be routed to Router A. So, please be sure of that.

Good that you have the same security commands.

We are missing TCP state bypass here, so please add it according to the configuration guide below,

http://wwwin-tools.cisco.com/casekwery/getServiceRequest.do?id=616239079&header=N&status=I&view=Dhttp://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf

Let me know how it goes.

Cheers,

Nash.

Hello,

Unfortunately, All traffic to internet on inside hosts went on ASA5510's outside interface by NAT instead of Router A.

and We want to make some hosts on internet (for example, google.com) routing with the next hop of Router A.

Seems it needs to do some translation

Thanks a lot

Hi Stephon,

If I understand your requirements correctly, you are looking for policy based routing i.e. all the traffic to internet should go through the ASA by default except for few resources, which should be redirected towards router so that router's ISP could be used.

If true, then unfortunately, ASA will not support PBR. it is supported by Router. therefore, another obvious solution will be to use router as your default gateway for all internal devices and let it redirect the traffic towards ASA based on the policy (resources accessible via ASA and router).

Let me know we this is what you want and we can discuss further on the solution.

Hello,

Yes, we need PBR for some hosts on internet.

but is there a way to make a SNAT from 10.1.1.0 to 10.1.1.0 in order to do PBR from ASA to Router A's outside?

This way should be useful...

Thanks a lot

Hi,

Well, I doubt that creating SNAT on ASA for 10.1.1.x to 10.1.1.x will help....unless you can share more details on what you intend to configure.

As per your note,"we need PBR for some hosts on internet":

- How many hosts are we talking about?

- Do we have their IP addresses?

One of the option will be to create a static route on the ASA for these destinations pointing to router's inside interface. Once the ASA will get any traffic, it will send it back to router on the inside interface and thus the traffic will go out via router's ISP. if this is the option you want to implement, ensure that "same-security-traffic permit intra-interface" is enabled on the ASA.

Hello,

For example, if the outside host ip is Y, router A inside ip is X

we have do a static route like

"route inside Y 255.255.255.255 X"

and ensure "same-security-traffic permit intra-interface" is enabled

But while we set ASA5510 as default gateway for inside hosts,

we cannot ping Y on inside hosts

Is there a way to achieve this?

Thanks a lot

Hello all,

According to this post: https://supportforums.cisco.com/message/884739#884739

We could achieve our goal.

Thanks a lot for all

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: