ASA Static route issues

We have a VPN device that is not plugged into our Cisco ASA firewall - it's on an outside IP address parallel to the firewall.  It's inside interface is plugged into our local network.  What we ideally want to do is have any traffic destined for a network that this device controlls via VPN be routed directly to it.  Our users Gateway is our Cisco firewall.  I put a static route in the cisco to this device for those networks - and from the cisco side I'm able to ping those networks just fine.  However, on the client side the Cisco is not allowing any of the traffic to flow through.  Ideally we don't want the ASA to process this traffic but since it's a firewall it seems it will need to.  I did try to put some access lists in there - but it just won't allow the traffic through.  The route is using the inside interface since the VPN device is on our local network.  Is there a way to tell the Cisco to not route the traffic destined for those networks through the firewall - to just build the routing table?  Or is there a better way to accomplish this?
entservAsked:
Who is Participating?
 
ee_autoCommented:
Question PAQ'd, 125 points refunded, and stored in the solution database.
0
 
poweruser32Commented:
is the vpn device natted behind the firewall-you said it has its own public address?
0
 
entservAuthor Commented:
It is behind the firewall but not natted.  It has it's own public IP - but isn't connected to the firewall at all.  All it will be doing is VPN.  The issue is that our internal gateway is the asa - we don't have a router in between.  So I put a route in the ASA hoping it could just pass the traffic on - but then realize it probaly is going to need to inspect it.  I'm just not sure what the best solution is.  Obviously a router in between would work but we'd like to avoid doing so since it seems like a big step for a small(ish) issue.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
poweruser32Commented:
ya i suppose its the case that you can have only 1 gateway at any time- ithink as well the cisco doesnt allow that kind of routing you tried to set up-we will have to wait for the experts to come in on this
0
 
lrmooreCommented:
This is a design "feature" of PIX/ASA in that it will not re-route any packet back out the same interface that it came in on except in certain specific instances.
You can add a static route entry on any host that needs to access the vpn subnet pointing to the other device, i.e.
Where my ASA is 192.168.222.1 and the VPN device is 192.168.222.254 and the remote lan is 10.10.10.0

  C:\>route add -p 10.10.10.0 mask 255.255.255.0 192.168.222.254
0
 
entservAuthor Commented:
Thank you both for the posts and ideas.  I suddently realized I could just add a static route via our DHCP that would allow all of the users to get to that VPN device when needed and still use the gateway when needed for internet access.  That worked like a charm and took the ASA out of the loop.  The route add command you mentioned I will save for future use though - thanks!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.