Solved: Routing Design Question

Gregor Blaj · ‎05-11-2015

Hi,

Based on the attached diagram, would you expect the PC (192.168.10.20) to be able to get to g0/0.20 (192.168.20.250) on the ASA? Devices on both LAN's have the L3 switch as their default gateway.

Basically, cloud B is a secondary internet breakout that I want to use only for Remote Access VPN (at this stage). But I want any Remote Access Clients to be dynamically PAT'd to interface g0/0.10 (192.168.10.250). Since this will be easier than introducing another subnet to the whole network.

To me this configuration seems loop susceptible, as the L3 switch and the ASA can both route traffic between all subnets. I'm open to any other suggestions on how this design can be improved. The only requirements are:

1. Remote Access Clients are PAT'd to 192.168.10.250

2. L3 switch remains the default gateway

Thanks for any help.

Jon Marshall · ‎05-11-2015

Sorry I keep having to edit these posts.

If you do what you are proposing there should be no routing loop created, it's just that return traffic to the remote clients is sent direct to the ASA.

If you have multiple remote access clients coming in with different IPs and your L3 switch has a default route that points to a different device than the ASA I can see why you would want to do it.

If the default route on the L3 switch points to that ASA I can't see why you would need it.

Jon

View solution in original post

Jon Marshall · ‎05-11-2015

But I want any Remote Access Clients to be dynamically PAT'd to interface g0/0.10 (192.168.10.250). Since this will be easier than introducing another subnet to the whole network.

Edit - do you mean remote access clients coming in to the ASA from cloud B ?

If so it still doesn't make sense to me ie. why route the vlans on the L3 switch and also extend them to the ASA.

Just use a different vlan or L3 link for the L3 switch to ASA connection.

Jon

Gregor Blaj · ‎05-11-2015

Yes, I mean remote access clients coming in to the ASA from B.

I want to extend them to the ASA so remote clients can appear to be coming from 192.168.10.250. Because if I create a new routable network for remote access clients, networks down stream from cloud A won't know about this new network. I'd like to avoid adding it in if possible :)

Jon Marshall · ‎05-11-2015

Sorry I keep having to edit these posts.

If you do what you are proposing there should be no routing loop created, it's just that return traffic to the remote clients is sent direct to the ASA.

If you have multiple remote access clients coming in with different IPs and your L3 switch has a default route that points to a different device than the ASA I can see why you would want to do it.

If the default route on the L3 switch points to that ASA I can't see why you would need it.

Jon

Gregor Blaj · ‎05-11-2015

The ASA was only a recent addition, hence it's not the 'core' of the network. It also isn't clustered, whereas the L3 switch is in a stack.

Yes, I see your point, for the simplicity going forward I should just update the routing with the new RA subnet.

Thanks for your help.

Gregor Blaj · ‎05-11-2015

Replied before I saw your edit :)

The default route on the L3 switch is in cloud B (ie. not the ASA).