Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1573
Views
0
Helpful
7
Replies

PIX / ASA Tunneled Default Gateway (TDG) / trouble with learned routes

eisenberg
Level 1
Level 1

‎02-01-2011 07:39 PM

My Tunneled Default Gateway (TDG)on my PIX running 8.04 is working as expected with one exception.My problem has to do with encrypted traffic with a destination of 206.125.125.0/24 not taking the TDG due to a learned route.In turn encrypted traffic destined for 206.125.125.0/24 is trying to go out of the ASA outside interface since the outside interface is defined within 206.125.125.0/24. This learned route problem is being caused by my ASA outside interface having an IP within 206.125.125.0/24. It is looking like I will need to create individual route statements for IPs 206.125.125.2 thru .249 and .251 thru .253. I had to skip .250 since it lives on the ASA outside interface. I ommited .1 since it is the default gateway of the firewall.

!
interface Ethernet0
nameif outside
security-level 0
ip address 206.125.125.250 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 206.125.125.1 1
route outside 10.20.185.0 255.255.255.0 206.125.125.1 1
route outside 10.20.195.0 255.255.255.0 206.125.125.1 1
route inside 0.0.0.0 0.0.0.0 10.100.100.254 tunneled
!

I would like to avoid putting all of the individual route on the firewall...looking for any suggestions.

According to this statement taken from the URL below it is this learned route that is keeping all encrypted traffic destined for 206.125.125.0/24 from taking the TDG and sending it out of the ASA outside interface.

"You can define a separate default route for tunneled traffic along with the standard default route. Unencrypted traffic received by the ASA, for which there is no static or learned route, is routed through the standard default route. Encrypted traffic received by the ASA, for which there is no static or learned route, will be passed to the DTG defined through the tunneled default route."

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b4f50d.shtml

FYI - IP addresses used in this thread are bogus (scrubbed)

Labels:
0 Helpful
7 Replies 7

Herbert Baerten
Cisco Employee
Cisco Employee

‎02-02-2011 05:27 AM

Hi,

Well, as you wrote (quoting the documentation), this is expected behavior.

Now it seems strange that you are using the same IP range on the outside and on the inside... is that because you got a /24 from your ISP and you want to use some of these addresses on the inside?

If on the outside you only have the ASA and the gateway, then  you could change the addressing and mask there, e.g. keep the router as .1 but change the ASA to .2, and change the mask to 255.255.255.252 on both.

Then the ASA will only consider 206.125.125.0 255.255.255.252 (so .0 through .3) as a connected route, and all the rest will follow your TDG.


Other than that I don't really see an elegant solution. Of course if you do decide to add static routes pointing to the inside, then you don't have to add 252 host routes. You could aggregate as much as possible (although this will make the list shorter but perhaps less readable):

route inside 206.125.125.2 255.255.255.255  10.100.100.254

route inside 206.125.125.3 255.255.255.255  10.100.100.254

route inside 206.125.125.4 255.255.255.252  10.100.100.254

route inside 206.125.125.8 255.255.255.248  10.100.100.254

route inside 206.125.125.16 255.255.255.240  10.100.100.254

route inside 206.125.125.32 255.255.255.224  10.100.100.254

route inside 206.125.125.64 255.255.255.192  10.100.100.254

route inside 206.125.125.128 255.255.255.128  10.100.100.254

Not sure if that last one will cause any problem since it includes .250 - you may need to divide it up into smaller parts similar to the first half.

hth

Herbert

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Herbert Baerten

‎02-02-2011 05:37 AM

Actually there *might* be another way :

route inside 206.125.125.0 255.255.255.128  10.100.100.254

route inside 206.125.125.128 255.255.255.128  10.100.100.254

route outside 206.125.125.1 255.255.255.255  206.125.125.1

i.e. break the /24 into two /25 and route those to the inside (you cannot route the entire /24 to the inside since it would conflict with the existing connected route), and only add a static host route to your DG on the outside.

Out of curiosity I did a quick test in the lab and at first sight this seems to work;  I did not test much but I can still ping my DG on the outside (I can't ping my own interface address anymore, but I don't think this should be a problem). I'm not giving any guarantees though

Personally I would consider this still a 'duckt tape' solution, I would prefer to re-size the outside subnet to a /30.

hth
Herbert

0 Helpful

eisenberg
Level 1
Level 1
In response to Herbert Baerten

‎02-02-2011 08:54 AM

I like the idea of changing the outside interface and upstream route to /30. Unfortunatly I am unable to change the mask of the upstream router due to other dependencies.


I am going to try route static route solution below, I will let you know how it goes

route inside 206.125.125.0 255.255.255.128  10.100.100.254
route inside 206.125.125.128 255.255.255.128  10.100.100.254
route outside 206.125.125.1 255.255.255.255  206.125.125.1


thanks again

0 Helpful

eisenberg
Level 1
Level 1
In response to eisenberg

‎02-02-2011 05:00 PM

In addition to the routes you recommended I added routes for the two broadcast addresses created when we divided the /24

route inside 206.125.125.0 255.255.255.128  10.100.100.254
route inside 206.125.125.128 255.255.255.128  10.100.100.254
route outside 206.125.125.1 255.255.255.255  206.125.125.1
route inside 206.125.125.127 255.255.255.255 10.100.100.254
route inside 206.125.125.128 255.255.255.255  10.100.100.254

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to eisenberg

‎02-03-2011 02:15 AM

I suppose the last one should be

route inside 206.125.125.255 255.255.255.255  10.100.100.254

although I really don't see a need for those 2 extra routes - these 2 addresses are included in the /25 routes...

Herbert

0 Helpful

eisenberg
Level 1
Level 1
In response to Herbert Baerten

‎02-02-2011 08:49 AM

My inside interface is on a different subnet than the outside interface

outside - 206.125.125.0/24

inside - 10.100.100.0/24

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to eisenberg

‎02-03-2011 02:23 AM 

My inside interface is on a different subnet than the outside interface
outside - 206.125.125.0/24
inside - 10.100.100.0/24

That I understood. But you also want to route 206.125.125.0/24 (minus .1 and .250) to a router on the inside - so you are using that same address range somewhere on your internal network?

Anyway, this is not really important, I was just curious since this is an unusual way of working

Herbert

0 Helpful
Customers Also Viewed These Support Documents