Link to home
Start Free TrialLog in
Avatar of joe90kane
joe90kane

asked on

Cisco ASA 5510 Routing between 2 ASA's

Hello,

I have 2 ASA's

ASA1 + 4mb least line (7 VPN's all connect back to head office)

subnets of sites are 192.168.1.*** / 2.*** / 3.*** / 4.*** / 5.***/ 6.*** / 7.***

------------

ASA2 + 4mb ADSL2+ (Simply config above)

------------

I use a squid proxy server on debian - If I change the Gateway on the proxy to the ASA2 all my sites cant access the web?

How can I enable traffic from ASA1 to ASA2 for all sites???

Thanks,
SOLUTION
Avatar of InteraX
InteraX
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of joe90kane
joe90kane

ASKER

Config of ASA2

------------

--------------------------------------------------------------------------------------
!
ASA Version 8.0(2)
!
hostname FIREWALL
domain-name TEST.COM
enable password AAAAAAAAAAAAAAAAA encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address aaa.aaa.aaa.aaa 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.252 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd AAAAAAAAAAAAAAA encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name TEST.COM
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:57f86d842dcccb502adfbf5961315320
: end
--------------------------------------------------------------------------------------
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I don't want to add static routes to every PC - is there a way of doing it from the ASA's?
joe90kane,

Yep. The same way you added the default route.

eg. route inside 192.168.100.0 255.255.255.0 10.1.0.254

InteraX
OK Got ya,

So I put this route on the ASA1 - Will this keep all the other traffic going e.g. Emails / AS400 etc...

192.168.1.252 = ASA2

route inside 192.168.2.0 255.255.255.0 192.168.1.252
route inside 192.168.3.0 255.255.255.0 192.168.1.252
route inside 192.168.4.0 255.255.255.0 192.168.1.252
route inside 192.168.5.0 255.255.255.0 192.168.1.252
route inside 192.168.6.0 255.255.255.0 192.168.1.252
route inside 192.168.7.0 255.255.255.0 192.168.1.252
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry InteraX can you explain this, Im a little lost.

Why do I put the routes into ASA2?

e.g.

                                                 
Web Traffic from VPN users ---> ASA1 --> Proxy Server --> ASA2 --> internet

Thanks for the help

OK I understand now :-)

Its like seeing the light when you have this mapped out in your head.

Thanks for the help InteraX
No probs.
Got a slight problem, I can ping the PC's on the different sites but when I change the gateway on the proxy - no internet traffic getting through???
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks InteraX,

Added the routes to the Debian box and all is working perfect, just for future reference,

ASA1 - VPN gateway (IP = 192.168.1.253)
ASA2 - Internet gateway (IP = 192.168.1.252)

Debian Box:

apt-get update
apt-get iproute
nano /etc/rc.local

Add the routes before "exit 0"

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0
route add -net 192.168.7.0 netmask 255.255.255.0 gw 192.168.1.253 dev eth0

------------------------------------------------------------------------------------------------------------

ASA1 - VPN gateway

Do Nothing

------------------------------------------------------------------------------------------------------------

ASA2 - Internet gateway

Add routes for all subnets:

config t

route inside 192.168.2.0 255.255.255.0 192.168.1.253 1
route inside 192.168.3.0 255.255.255.0 192.168.1.253 1
route inside 192.168.4.0 255.255.255.0 192.168.1.253 1
route inside 192.168.5.0 255.255.255.0 192.168.1.253 1
route inside 192.168.6.0 255.255.255.0 192.168.1.253 1
route inside 192.168.7.0 255.255.255.0 192.168.1.253 1

------------------------------------------------------------------------------------------------------------

Thanks, Joe