Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
2
Replies

Issue with PBR and VPN access

Thierry Blanchard
Level 1
Level 1

‎06-25-2017 08:44 AM - edited ‎03-05-2019 08:45 AM

hello, I'm trying to configure the network of my company to provide performance and VPN incoming connections. The network is made of: - 10Gb core-switch - 1Gb top of rack switches with a 10Gb to core-switch connection - multiple vlans - Cisco ASA 5515-X servers <--------> 10Gb CoreSwitch <------> TopOfRack switch <-----> Cisco ASA <---------> Internet <----------> VPN Users 172.17.10.240 172.17.10.254 So far, I tested the following: TEST 1: ======== Set gateway to IP address of the core switch. The performance are present as all inter vlans is managed by the core switch. All my vlans have a rule "allow all" or "deny all". I don't have port or IP filtering. I configured "policy based routing" on the core-switch and set the "next-hop" IP adddress to be the Cisco ASA. --> This configuration works very well for outgoing and intervlan traffic. The only issue is that my remote users connecting by VPN cannot connect to local resource. TEST 2: ======== Set gateway to IP address of the Cisco ASA. --> This configuration works very well for outgoing and intervlan traffic. The only issue is that the Cisco ASA is handling all interval traffic with a 1Gb connection, resulting in a bottleneck. I cannot find a viable solution combining performance and VPN connection. I'd appreciate all discussion or suggestion. Thank you in advance, Thierry
Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎06-25-2017 11:13 AM

Hello,

can you draw your setup out and post it ? Inter-VLAN routing should happen at the core switch, not the ASA, only Internet traffic should go out to the ASA.

0 Helpful

Thierry Blanchard
Level 1
Level 1
In response to Georg Pauwen

‎06-26-2017 01:53 AM

hello Georg,

I entirely agree that intervlan routing shoud happen on the core-switch.

Please find attached my setup.

For outgoing traffic (everything works fine):

- my internal Equipment has an IP 172.17.110.100 with Gateway 172.17.110.240 (core-switch)

- my core-switch has PBR enabled and forward the traffic (using set next-hop) to the ASA (172.17.110.254)

- the ASA forwards the traffic to the Internet

For incoming traffic (using remote VPN):

- my client has an IP assigned by a pool assigned by DHCP from the ASA)

- I can reach my ASA

- The problem is that my remote client cannot reach the internal LAN. The cause must be due to an asymetric route, the internal Equipment having a default Gateway of 172.17.110.240 and my ASA having an IP of 172.17.110.254.

Hope this helps,

Thierry

Preview file
99 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card