cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
327
Views
0
Helpful
8
Replies
Douglas Holmes
Beginner

Tunneled Route - Need for two gateways

Greetings,

I have a problem that currently is solved through Static Routes.  Users connect to the ASA and gain access to the trusted network for everything, including local resources and Internet.  Hence the static route is on the trusted side.  Since users need to go anywhere from local Exchange Server and DNS to google or even comedy central or ebay.  All networks that connect to the ASA have a static route on the outside that points to the gateway.  The ASA is used to terminate IPSEC connections only. We use both AnyConnect and strongSwan. 

I have tested a bit with the "tunneled" route, but it is my understanding that it only routes encrypted traffic.  I can see from testing that it does not necessarily replace the static route when initiating tunnels since they are not encrypted yet? 

The problem is right now all my users are from known IP space.  This will change shortly to any IP space world wide.  How do I adjust when this change occurs?  Thanks.

Douglas

8 REPLIES 8
Aditya Ganjoo
Cisco Employee

Hi Douglas,

You are right.

Only the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesn't match those static routes then it will use the "tunneled" default route.

The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.

Regards,

Aditya

Please rate helpful posts.

Thanks Aditya for the information.  However, my basic question is still unanswered.  That question is if my default route is on the trusted network (or inside network), how do I route on the untrusted (or outside network) so that users can hit the outside address of the ASA and receive return traffic from anywhere in the world. 

I have two ASA's setup in the lab.  One running AnyConnect and another running strongSwan.  I can test any suggestions that anyone might have pretty quickly since I won't be impacting users. 

Hi Douglas,

The only thing I can think of is using PBR on ASA.

Its supported from 9.4 code of ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

Regards,

Aditya

Please rate helpful posts.

Thanks again for your input.  Would this be what you were referring to:

access-list s-pbr extended permit udp any4 eq 4500 interface Outside
access-list s-pbr extended permit udp any4 eq isakmp interface Outside
access-list s-pbr extended permit tcp any4 eq www interface Outside
access-list s-pbr extended permit tcp any4 eq https interface Outside

route-map s-pbr-map permit 12
set ip next-hop 10.10.10.1
match ip address s-pbr
set interface outside

int g0/0
policy-route route-map s-pbr-map

Not sure I got the syntax right on this since it doesn't work.  I will go back to the configuration guide again. 

Hi Douglas,

I am not sure what specific traffic do you need to allow through the outside interface but if you follow the correct syntax you should be able to pass the traffic.

You should be able to verify if the traffic is hitting the correct policy by using a packet-tracer command.

Use show policy-route to check the policies.

And then a packet-tracer to see the following phase in the output:

Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW

Do you see this phase in the packet trace output ?

Regards,

Aditya


Please rate helpful posts.

Thanks again for the response.  The "show policy-route" just shows me that I have a policy route applied:

device# show policy-route
Interface                           Route map
GigabitEthernet0/0                  s-pbr-map

I know its not working since nobody can connect once I remove the static route. 

On a packet trace I get denied by configured rule.  I really am looking for all responses from ports tcp https, udp 500 and udp 4500 to be send to the gateway on the outside.  Doesn't seem so hard.  But its starting to look that way. 

Hi Douglas,

This means the rules created are not taking effect.

Until we sort the rules for this traffic we would not be able to route the traffic.

Let me check at my end and I will keep you posted.

Regards,

Aditya

Content for Community-Ad