12-24-2012 01:46 AM
Dears!
Im facing the the problem..
i have an ASA 5510
My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)
Assume that non routable network is a.a.a.a and routable is b.b.b.b
so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1
Physically this network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA
As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP)
So the problem:
For my international partners i need to provide VPN.
So the traffic flow is the following:
For exaple a client with public ip 1.1.1.1 using cisco VPN client trying to connect to b.b.b.1
The packet arrives to interface a.a.a.1 and............. Being discarded.
7 | Dec 24 2012 | 11:09:47 | 710005 | 1.1.1.1 | 62548 | b.b.b.1 | 10000 | TCP request discarded from 1.1.1.1/62548 to internet:b.b.b.1/10000 |
I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.
Am i right?
Also i tried to setup a bypas policy, but no effect
Who can point me how to resolve this problem?
12-24-2012 03:08 AM
Hello,
This is by design.. ASA doesnt allow communication to an interface IP address if the traffic is comuning from a different interface.In my opinion what you should do is to give b.b.b.1 IP address on your outside interface and let your VPN partners to establish your VPN to that IP.. Else Let your provider to route a.a.a.a globally
regards
Harish
12-24-2012 03:30 AM
Yes i know that ASA doesnt allow. But... Maybe there is a way to workaround this..
Because its not possible to route it globally. (already asked ISP for this)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: