Re: Routing to one destination from two VLAN's

Ivo Ruetsche · ‎08-15-2013

Hi all

We have on one side an administrative net (192.168.2.0/24), that have to reach hosts in some different VLAN's (192.168.26.0/24 and 192.168.8.0/24 for example) through a vpn tunnel. The problem is, that the default GW from the hosts in the VLAN's is not the same ASA like the endpoint from the tunnel.

I attach a pic, where explain the situation (hopefully).

On the ASA with the IP 192.168.8.2/192.168.26.2 i set a route:

asa2(config)# route inside_vlan260 192.168.2.0 255.255.255.0 192.168.26.1

asa2(config)#

So, i can reach now all the hosts from the external network (192.168.2.0) who are in the 192.168.26.0 subnet - that works fine.

When i add another route for the hosts from the 192.168.8.0/24 subnet, i got this error:

asa2(config)# route inside_vlan20 192.168.2.0 255.255.255.0 192.168.8.1
ERROR: Cannot add route entry, conflict with existing routes
asa2(config)#

Hmmm, okay, it's the same destination, but a different interface and a different gateway...

Any idea how i can solve this without setting static routes on the hosts?

ASA Software Version: 9.1(2)

Thanks a lot...

Ivo

Jouni Forss · ‎08-15-2013

Hi,

Does seem like a little problematic setup especially when talking about having 2 ASA firewalls.

So if I understood correctly the ASA at ISP2 is the default gateway for the LAN networks between the 2 ASAs and this causes problem with traffic forwarding.

One option would I guess be that you specifically route the network 192.168.2.0/24 on the actual servers towards the ISP1 ASA while the default route would still be pointing towards the ISP2 ASA. If there is need to do this for several hosts or whole network then naturally its not a very desirable setup.

If you were to do this on the ISP2 ASA with the routes you mention then the routes would not be enough to pull this off.

The first problem with the above apply of routes is that you use the same/default metric. The other one has to have a worse metric. Naturally this also means that as long as ASA looks at its routing table it will forward the traffic destined to that destination network always using the route with better metric.

What you would have to do (if I am correct) is to use NAT to make the traffic take an U-turn on the Vlan20 and Vlan260 interfaces on the ISP2 ASA. The NAT will essentially first cause the ASA to choose the correct interface to forward the traffic out off while the route (even with worse metric) will then handle the forwarding of traffic towards the desired gateway.

So it would seem to me that ISP2 ASA needs atleast the following configurations

First command (if not issued yet) enables traffic to enter and leave the same interface
Route commands with different metrics to same destination networks using different interfaces/gateways
NAT configurations, each of which tell the ASA that when traffic is coming from the VLANX towards REMOTE then the outgoing/egress interface should be the same interface where the traffic entered.

same-security-traffic permit intra-interface

route inside_vlan20 192.168.2.0 255.255.255.0 192.168.8.1 1

route inside_vlan260 192.168.2.0 255.255.255.0 192.168.26.1 2

object network VLAN20

subnet 192.168.8.0 255.255.255.0

object network VLAN260

subnet 192.168.26.0 255.255.255.0

object network REMOTE

subnet 192.168.2.0 255.255.255.0

nat (inside_vlan20,inside_vlan20) source static VLAN20 VLAN20 destination static REMOTE REMOTE

nat (inside_vlan260,inside_vlan260) source static VLAN260 VLAN260 destination static REMOTE REMOTE

I have not really had a need to do such a configuration before.

Using "packet-tracer" would seem to indicate it behaves as wanted on my own test ASA.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni