Cisco ASA static route problem

javelinict
javelinict used Ask the Experts™
on
Hi there,

I have a problem with static routing on a Cisco ASA 5505.

The internal network is 192.168.1.0 / 255.255.255.0, The ASA is on 192.168.1.1.

I would like all traffic for 192.168.112.0 / 255.255.255.0 to route to a VPN server
also in the network on 192.168.1.51. The local address of the VPN client is 192.168.112.1.

The static route I created in the ADSM tool doesn't work. Setting is as follows:

interface: inside
ip address: 192.168.112.0 / 255.255.255.0
gateway : 192.168.1.51
options : none

The other static route I have defined is on outside, ip 0.0.0.0 / 0.0.0.0 to the internet gateway address.


When I use a route command in Windows like:

route add 192.168.112.0 mask 255.255.255.0 192.168.1.51

the routing works well and I can ping the VPN client at 112.1.

Anyone any ideas?

with regards,

Robbert
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jody LemoineNetwork Architect

Commented:
Cisco PIX/ASA units don't do same-interface routing as they're not proper routers.  There are ways to make this work with a PIX/ASA unit, but your VPN server would have to be moved off of the current LAN.
Jody LemoineNetwork Architect

Commented:
I did some further reading and found that the ASA units actually do have some ability to handle this.  Try adding the following command to your ASA and let me know if that enables the route to function.

same-security-traffic permit intra-interface

Commented:
Where is this VPN server?

Do you have two subnets on your internal network?  Or is this a site to site VPN?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Not possible unless you have 7.2(1) or above OS on ASA. If you happen to have or upgrade then you can do this;

On the ASA, do this;

route inside 192.168.112.0 255.255.255.0 192.168.1.51 1
same-security-traffic permit intra-interface

You're good to go then.


Cheers,
rsivanandan
Another and better way to do it, is to create the static routes on your core router, if you have one. For small networks, you may not have a core router to route some traffic to the VPN server (for 192.168.112.0) and the rest to the ASA (for Internet destinations). If you don't, read on...

Another way would be to let your DHCP server do it using Scope Option 249 on a WIndows 2003 DHCP server. It can distribute a static route along with the DHCP assignment. See this article:
http://tmgblog.richardhicks.com/2009/01/08/using-dhcp-to-assign-static-routes/

Author

Commented:
Hi there,

I'll be back on the customer site tomorrow and I'm gonna try to upgrade if necessary. Then add the route like rsivanandan suggest. If that fails I'll use scope 249 from Boilermaker.

I'll keep you informed.

Thanks for the advise so far..

Robbert

Author

Commented:
Ok everybody - thanks for the advice... solutions above worked.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial