Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
0
Helpful
2
Replies

Problem routing traffic with public IP at layer 3 switch with multiple egress points

cisco24seven
Level 1
Level 1

‎10-02-2011 02:46 PM - edited ‎03-07-2019 02:33 AM

I have a Cisco 3550 that we are using for routing and switching. The switch has a default gateway to the 192.168.5.x network and is also connected to a PIX and an ASA as shown below in my diagram.

                                      PIX 515          ASA

                                                |               |

                                                |               |

                                                |               |

Default G/W                                                                                vlan 172.16.32.x

[Internet] ------------------------[Cisco3550]-----------------------------------------[App Server]

I have an application server on the 172.16.32.x subnet that sets up a VPN tunnel for remote users. Remote users will use their air card to connect through the ASA and the traffic will reach the switch through the vlan set up for the 172.16.32.x subnet. Incoming traffic gets to the app server from the ASA without any issues. However once the traffic attempts to return to the user to complete the VPN tunnel, the traffic will get routed out the default gateway of the switch. I have set up a route on the 3550 that would route all 172.16.32.x traffic through the vlan however since the return traffic from the application server is based on the destination IP and is a public IP the 3550 is sending the traffic out the default gateway. I know this from analyzing a packet capture of the traffic. The remote users use different air card providers like ATT, Verizon etc and the public IP address of each air card is bound to change over time, so I cannot put a route in the 3550 to route the public IP address nor do I think that is a secure option. The 3550 is a SMI image so policy based routing is not available on this switch.

How can I solve this issue the best and most secure way?  I would be grateful for any help on this one.

Thanks

Labels:
0 Helpful
2 Replies 2

milan.kulik
Level 10
Level 10

‎10-03-2011 03:16 AM

Hi,

I see two possibilities here:

a) terminate VPN tunnels on your ASA and connect to the server using private IP addresses from the clients

b) put the server to the same VLAN as ASA and configure ASA IP address as the default gw on the server.

Not sure though if any of them is suitable for you:

for a) the VPN client woudl have to be changed probably

for b) is the server communicating to any other targets in the Internet/your LAN? Multiple NICs might be necessary then?

HTH,

Milan

0 Helpful

cisco24seven
Level 1
Level 1
In response to milan.kulik

‎10-03-2011 09:16 AM

Putting the sever on the same vlan as ASA would probably be best option however the server needs to autenticate against AD and have access to DHCP and serveral other resources on the internal LAN. How would this be set up?

0 Helpful
Customers Also Viewed These Support Documents