cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2279
Views
0
Helpful
20
Replies

Route Internet traffic across a P2P between two firewalls

dbuckley77
Level 1
Level 1

I have two firewalls that are connected, an ASA and a Sonicwall.  I have a LAN hanging off the Sonicwall and want to send it's traffic across.  I have already created a route policy on the Sonicwall to send the traffic out the interface that faces the Cisco ASA.   I need to know how to create a route and access rule on the ASA to get this to work.

On the sonicwall:

LAN is on X5 interface and the subnet is 10.98.3.0

Interface facing the other Firewall is called city and the IP is 10.99.0.3

Route policy is already in place

On the ASA

interface facing the Sonicwall is 10.99.0.2

outside interface facing isp is 71.181.12.193 with gateway of .194

access rule is in place to allow all ip from the 10.98.3.0 network to the outside interface

I think I need some kind of static route in place to get the 10.98.3.0 traffic coming in on the interface facing the sonicawall to the outside interface facing the isp but am ata  loss to get this done

20 Replies 20

I think the line is there because there was no need to translate them.  That network (10.98.3.0) comes across the link between the Sonicwall and ASA to access resources on a LAN hanging off the ASA.  There are various rules in place for this.  Currently internet traffic originating on the 10.98.3.0 LAN goes out a WAN interface on the Sonicwall.  We want to change it so that it comes across the link between the ASA and Sonicwall and goes out the wan interface on the ASA.

Does that clarify things?

Yes it does.

Do you need any NAT exemption for the 10.98.3.x IPs if they go via the ASA or can you just translate them because they will only ever be going to the internet ?

And if so what IP do you want to translate them to, the ASA outside interface IP ?

Jon

I'm not sure what you mean by NAT exemption?  The traffic will be coming from the 10.98.3.0 network for both the purposes of accessing resources on the ASA LAN and going out to the internet.

I am assuming we would be natting the IP the 10.98.3.0 IPs to the same IP address that we are natting the hosts on the ASA LAN to.

Sorry, NAT exemption simply means do not translate the IPs which is what those two lines are doing.

If you want to preserve the IPs ie. do not translate them for some access but translate for internet then you need to do two things -

1) modify the acl you are using ie.

"access-list Library_nat0_outbound extended permit ip any any"

you cannot have any as the destination IPs, you will need to specify the IPs you do not want the 10.98.3.x IPs translated for.

So that would be any other resources accessed on the ASA I assume and I am guessing somewhat here as it is still not entirely clear.  

2) you then need a matching nat/global pair for internet access.

If the LAN is inside then it looks like you are using

"nat (inside) 10 0.0.0.0 0.0.0.0"

so you would just need -

"nat (Library) 10 0.0.0.0 0.0.0.0"

and it would use corresponding "global (outside) 10 ..." command.

Jon

I have added a diagram of the firewalls if it would help a little.

The screen shot was very clear that the route had been created. The CLI output is a bit ambiguous. Is this the route that we are talking about?

S    Library_Staff_Wired_Network 255.255.255.0 [1/0] via 10.99.0.3, Library

If so then your routing looks right. Do we understand from the question that this is not working? If so there are a few other things that we need to understand about the configuration:

- what is the security level for interface library?

- what is the security level for interface outside?

- are there access policies configured on interface library?

- are you doing address translation on the ASA? If so are you translating the 10.98.3.0 addresses?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: