Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
0
Helpful
2
Replies

Static route by interface or destination

BenTwentyEleven
Level 1
Level 1

‎09-22-2011 11:23 AM - edited ‎03-11-2019 02:28 PM

Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.

I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.

All interfaces are on the same security level of 100 except Outside which is 0.

Office 1 Interfaces ASA 5510

VLAN  1               vOffice1Data       10.40.1.0/24

VLAN  3               vOffice1Video     10.40.2.0/24

VLAN 5                vInterOffice       10.40.5.0/24     (QOS  connection Between Offices)

Outside                50Mb    Internet / Site to Site VPN between offices

Office 2 Interfaces ASA 5510

VLAN  2               vOffice2Data     10.40.2.0/24

VLAN  4               vOffice2Video  10.40.4.0/24

VLAN 5                vInterOffice       10.40.5.0/24     (Secure connection Between Offices)

Outside                50Mb    Internet / Site to Site VPN between offices

All local VLAN’s route between themselves OK

Also the following far end routing is working OK

VLAN 1 --- VLAN 2 Both Ways via Site to Site VPN

VLAN 3 --- VLAN 4 Both Ways via E-Pipe using a static Route

VLAN 1 &,2 are used for data

VLAN 3 & 4 are used for Video Conferencing

We are adding desktop videoconferencing to our end points so we need to be able to route traffic from the local Data network destined to the far end video network via the E-Pipe. All local data VLAN’s to far end data VLAN’s should still route traffic through the VPN connection.

As an example if I had my laptop connected to VLAN 1 I should be able to access far end VLAN 2 via Site To Site VPN and also be able to access far end VLAN 4 via the E-Pipe route.

Is this possible?

At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.

Any suggestions?

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎09-22-2011 11:40 AM

Ben

What you really need is PBR (Policy Based Routing) which unfortunately is not supported on the ASA.

You may be able to do something with NAT but it would need testing as VOIP/videoconferencing doesn't always work with NAT.

Basically you use poilicy NAT so when traffic is sent from vlan to vlan 4 you NAT the source vlan 1 ip addresses. Then at site2 you can add a specific route for the nat subnet which would point to the QOS  connection. This would mean you could still have your existing vlan 1 route at site 2 pointing to the VPN tunnel.

Jon

0 Helpful

BenTwentyEleven
Level 1
Level 1
In response to Jon Marshall

‎09-25-2011 07:25 AM

Hi Jon,

Thanks for your input. Unfortunately I couldn’t get your NAT solution working. Hopefully Cisco will bring out PBR on the ASA soon.

Ben

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card