Cisco ASA 5510 Routing between 2 ASA's

Hello,

I have 2 ASA's

ASA1 + 4mb least line (7 VPN's all connect back to head office)

subnets of sites are 192.168.1.*** / 2.*** / 3.*** / 4.*** / 5.***/ 6.*** / 7.***

------------

ASA2 + 4mb ADSL2+ (Simply config above)

------------

I use a squid proxy server on debian - If I change the Gateway on the proxy to the ASA2 all my sites cant access the web?

How can I enable traffic from ASA1 to ASA2 for all sites???

Thanks,
LVL 1
joe90kaneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InteraXCommented:
joe90kane,

You need to setup routing on the gateway to route traffic to the sites via ASA1 and a default route via ASA2. Sounds like a new question though. ;-)

InteraX
0
joe90kaneAuthor Commented:
Config of ASA2

------------

--------------------------------------------------------------------------------------
!
ASA Version 8.0(2)
!
hostname FIREWALL
domain-name TEST.COM
enable password AAAAAAAAAAAAAAAAA encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address aaa.aaa.aaa.aaa 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.252 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd AAAAAAAAAAAAAAA encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name TEST.COM
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:57f86d842dcccb502adfbf5961315320
: end
--------------------------------------------------------------------------------------
0
InteraXCommented:
joe90kane,

Windows routing exaple:

route add -p 192.168.100.0 mask 255.255.255.0 10.1.0.254

permanenetly add subnet 192.168.100.0/24 via 10.1.0.254

InteraX
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

InteraXCommented:
Yiu could also add the routes to the sites on ASA2, then this would use ICMP re-directs back to the proxy to re-direct the traffic via ASA1.
0
joe90kaneAuthor Commented:
I don't want to add static routes to every PC - is there a way of doing it from the ASA's?
0
InteraXCommented:
joe90kane,

Yep. The same way you added the default route.

eg. route inside 192.168.100.0 255.255.255.0 10.1.0.254

InteraX
0
joe90kaneAuthor Commented:
OK Got ya,

So I put this route on the ASA1 - Will this keep all the other traffic going e.g. Emails / AS400 etc...

192.168.1.252 = ASA2

route inside 192.168.2.0 255.255.255.0 192.168.1.252
route inside 192.168.3.0 255.255.255.0 192.168.1.252
route inside 192.168.4.0 255.255.255.0 192.168.1.252
route inside 192.168.5.0 255.255.255.0 192.168.1.252
route inside 192.168.6.0 255.255.255.0 192.168.1.252
route inside 192.168.7.0 255.255.255.0 192.168.1.252
0
InteraXCommented:
Assuming you've change the ASA numbering since your first post, then yes.
0
joe90kaneAuthor Commented:
Sorry InteraX can you explain this, Im a little lost.

Why do I put the routes into ASA2?

e.g.

                                                 
Web Traffic from VPN users ---> ASA1 --> Proxy Server --> ASA2 --> internet

Thanks for the help

0
joe90kaneAuthor Commented:
OK I understand now :-)

Its like seeing the light when you have this mapped out in your head.

Thanks for the help InteraX
0
InteraXCommented:
No probs.
0
joe90kaneAuthor Commented:
Got a slight problem, I can ping the PC's on the different sites but when I change the gateway on the proxy - no internet traffic getting through???
0
InteraXCommented:
ASA1 - VPN gateway
ASA2 - Internet gateway

The proxy machine should have it's gateway set as ASA2. You should have the manual routes addes to ASA2. Check what the proxy machine thinks is the rights gateway to the site client IP's by issuing a "route print" on the proxy. This will list the entire routing table for the server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joe90kaneAuthor Commented:
Thanks InteraX,

Added the routes to the Debian box and all is working perfect, just for future reference,

ASA1 - VPN gateway (IP = 192.168.1.253)
ASA2 - Internet gateway (IP = 192.168.1.252)

Debian Box:

apt-get update
apt-get iproute
nano /etc/rc.local

Add the routes before "exit 0"

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0

------------------------------------------------------------------------------------------------------------

ASA1 - VPN gateway

Do Nothing

------------------------------------------------------------------------------------------------------------

ASA2 - Internet gateway

Add routes for all subnets:

config t

route inside 192.168.2.0 255.255.255.0 192.168.1.253 1
route inside 192.168.3.0 255.255.255.0 192.168.1.253 1
route inside 192.168.4.0 255.255.255.0 192.168.1.253 1
route inside 192.168.5.0 255.255.255.0 192.168.1.253 1
route inside 192.168.6.0 255.255.255.0 192.168.1.253 1
route inside 192.168.7.0 255.255.255.0 192.168.1.253 1

------------------------------------------------------------------------------------------------------------

Thanks, Joe


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.