joe90kane
asked on
Cisco ASA 5510 Routing between 2 ASA's
Hello,
I have 2 ASA's
ASA1 + 4mb least line (7 VPN's all connect back to head office)
subnets of sites are 192.168.1.*** / 2.*** / 3.*** / 4.*** / 5.***/ 6.*** / 7.***
------------
ASA2 + 4mb ADSL2+ (Simply config above)
------------
I use a squid proxy server on debian - If I change the Gateway on the proxy to the ASA2 all my sites cant access the web?
How can I enable traffic from ASA1 to ASA2 for all sites???
Thanks,
I have 2 ASA's
ASA1 + 4mb least line (7 VPN's all connect back to head office)
subnets of sites are 192.168.1.*** / 2.*** / 3.*** / 4.*** / 5.***/ 6.*** / 7.***
------------
ASA2 + 4mb ADSL2+ (Simply config above)
------------
I use a squid proxy server on debian - If I change the Gateway on the proxy to the ASA2 all my sites cant access the web?
How can I enable traffic from ASA1 to ASA2 for all sites???
Thanks,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't want to add static routes to every PC - is there a way of doing it from the ASA's?
joe90kane,
Yep. The same way you added the default route.
eg. route inside 192.168.100.0 255.255.255.0 10.1.0.254
InteraX
Yep. The same way you added the default route.
eg. route inside 192.168.100.0 255.255.255.0 10.1.0.254
InteraX
ASKER
OK Got ya,
So I put this route on the ASA1 - Will this keep all the other traffic going e.g. Emails / AS400 etc...
192.168.1.252 = ASA2
route inside 192.168.2.0 255.255.255.0 192.168.1.252
route inside 192.168.3.0 255.255.255.0 192.168.1.252
route inside 192.168.4.0 255.255.255.0 192.168.1.252
route inside 192.168.5.0 255.255.255.0 192.168.1.252
route inside 192.168.6.0 255.255.255.0 192.168.1.252
route inside 192.168.7.0 255.255.255.0 192.168.1.252
So I put this route on the ASA1 - Will this keep all the other traffic going e.g. Emails / AS400 etc...
192.168.1.252 = ASA2
route inside 192.168.2.0 255.255.255.0 192.168.1.252
route inside 192.168.3.0 255.255.255.0 192.168.1.252
route inside 192.168.4.0 255.255.255.0 192.168.1.252
route inside 192.168.5.0 255.255.255.0 192.168.1.252
route inside 192.168.6.0 255.255.255.0 192.168.1.252
route inside 192.168.7.0 255.255.255.0 192.168.1.252
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry InteraX can you explain this, Im a little lost.
Why do I put the routes into ASA2?
e.g.
Web Traffic from VPN users ---> ASA1 --> Proxy Server --> ASA2 --> internet
Thanks for the help
Why do I put the routes into ASA2?
e.g.
Web Traffic from VPN users ---> ASA1 --> Proxy Server --> ASA2 --> internet
Thanks for the help
ASKER
OK I understand now :-)
Its like seeing the light when you have this mapped out in your head.
Thanks for the help InteraX
Its like seeing the light when you have this mapped out in your head.
Thanks for the help InteraX
No probs.
ASKER
Got a slight problem, I can ping the PC's on the different sites but when I change the gateway on the proxy - no internet traffic getting through???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks InteraX,
Added the routes to the Debian box and all is working perfect, just for future reference,
ASA1 - VPN gateway (IP = 192.168.1.253)
ASA2 - Internet gateway (IP = 192.168.1.252)
Debian Box:
apt-get update
apt-get iproute
nano /etc/rc.local
Add the routes before "exit 0"
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
ASA1 - VPN gateway
Do Nothing
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
ASA2 - Internet gateway
Add routes for all subnets:
config t
route inside 192.168.2.0 255.255.255.0 192.168.1.253 1
route inside 192.168.3.0 255.255.255.0 192.168.1.253 1
route inside 192.168.4.0 255.255.255.0 192.168.1.253 1
route inside 192.168.5.0 255.255.255.0 192.168.1.253 1
route inside 192.168.6.0 255.255.255.0 192.168.1.253 1
route inside 192.168.7.0 255.255.255.0 192.168.1.253 1
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
Thanks, Joe
Added the routes to the Debian box and all is working perfect, just for future reference,
ASA1 - VPN gateway (IP = 192.168.1.253)
ASA2 - Internet gateway (IP = 192.168.1.252)
Debian Box:
apt-get update
apt-get iproute
nano /etc/rc.local
Add the routes before "exit 0"
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
--------------------------
ASA1 - VPN gateway
Do Nothing
--------------------------
ASA2 - Internet gateway
Add routes for all subnets:
config t
route inside 192.168.2.0 255.255.255.0 192.168.1.253 1
route inside 192.168.3.0 255.255.255.0 192.168.1.253 1
route inside 192.168.4.0 255.255.255.0 192.168.1.253 1
route inside 192.168.5.0 255.255.255.0 192.168.1.253 1
route inside 192.168.6.0 255.255.255.0 192.168.1.253 1
route inside 192.168.7.0 255.255.255.0 192.168.1.253 1
--------------------------
Thanks, Joe
ASKER
------------
--------------------------
!
ASA Version 8.0(2)
!
hostname FIREWALL
domain-name TEST.COM
enable password AAAAAAAAAAAAAAAAA encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address aaa.aaa.aaa.aaa 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd AAAAAAAAAAAAAAA encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name TEST.COM
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:57f86d842dc
: end
--------------------------