• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 619
  • Last Modified:

ASA Static route issues

We have a VPN device that is not plugged into our Cisco ASA firewall - it's on an outside IP address parallel to the firewall.  It's inside interface is plugged into our local network.  What we ideally want to do is have any traffic destined for a network that this device controlls via VPN be routed directly to it.  Our users Gateway is our Cisco firewall.  I put a static route in the cisco to this device for those networks - and from the cisco side I'm able to ping those networks just fine.  However, on the client side the Cisco is not allowing any of the traffic to flow through.  Ideally we don't want the ASA to process this traffic but since it's a firewall it seems it will need to.  I did try to put some access lists in there - but it just won't allow the traffic through.  The route is using the inside interface since the VPN device is on our local network.  Is there a way to tell the Cisco to not route the traffic destined for those networks through the firewall - to just build the routing table?  Or is there a better way to accomplish this?
0
entserv
Asked:
entserv
1 Solution
 
poweruser32Commented:
is the vpn device natted behind the firewall-you said it has its own public address?
0
 
entservAuthor Commented:
It is behind the firewall but not natted.  It has it's own public IP - but isn't connected to the firewall at all.  All it will be doing is VPN.  The issue is that our internal gateway is the asa - we don't have a router in between.  So I put a route in the ASA hoping it could just pass the traffic on - but then realize it probaly is going to need to inspect it.  I'm just not sure what the best solution is.  Obviously a router in between would work but we'd like to avoid doing so since it seems like a big step for a small(ish) issue.
0
 
poweruser32Commented:
ya i suppose its the case that you can have only 1 gateway at any time- ithink as well the cisco doesnt allow that kind of routing you tried to set up-we will have to wait for the experts to come in on this
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
lrmooreCommented:
This is a design "feature" of PIX/ASA in that it will not re-route any packet back out the same interface that it came in on except in certain specific instances.
You can add a static route entry on any host that needs to access the vpn subnet pointing to the other device, i.e.
Where my ASA is 192.168.222.1 and the VPN device is 192.168.222.254 and the remote lan is 10.10.10.0

  C:\>route add -p 10.10.10.0 mask 255.255.255.0 192.168.222.254
0
 
entservAuthor Commented:
Thank you both for the posts and ideas.  I suddently realized I could just add a static route via our DHCP that would allow all of the users to get to that VPN device when needed and still use the gateway when needed for internet access.  That worked like a charm and took the ASA out of the loop.  The route add command you mentioned I will save for future use though - thanks!!
0
 
ee_autoCommented:
Question PAQ'd, 125 points refunded, and stored in the solution database.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now