memo12345678
asked on
ip route doesn't work in ASA !!
Dear I have this network diagram
from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1
But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2
I think need add access or nat to permit plz send to me this config
Note :-
from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
test.jpg
from pc (10.10.10.2) can ping to 10.10.10.1 (dmz firewall) and pc 192.168.1.2 can ping to 10.10.10.1
But pc 10.10.10.2 cannot ping to ip 192.168.1.1 or 192.168.1.2
I think need add access or nat to permit plz send to me this config
Note :-
from firewall can ping to both ips 10.10.10.2 and 192.168.1.2
test.jpg
As a matter of fact you can let the firewall route that. But that's not the best way to do it (it's still a firewall, not a router).
As fwed29 said, best thing is to add a route on the host: route add -p 192.168.1.0 mask 255.255.255.0 10.10.10.3
Or, if you're using dhcp, add a route through there.
As fwed29 said, best thing is to add a route on the host: route add -p 192.168.1.0 mask 255.255.255.0 10.10.10.3
Or, if you're using dhcp, add a route through there.
I'm not very agree because ASA can't route this trafic at all because both network are under the same inerface of ASA.
You can ping with the icmp redirect but you can't establish connection du to asymmetric routing.
The best solution, for me, is to use the router as gateway and add a route ANY to the ASA :
If it's a Cisco router : ip route 0.0.0.0 0.0.0.0 10.10.10.1
The network 192.168.1.0 will be directly connected and known by the router.
As said erniebeek, just change the gateway on the DHCP server :)
The solution to add a route on the host will work but is not the best ... and you must do the same thing on all your host.
You can ping with the icmp redirect but you can't establish connection du to asymmetric routing.
The best solution, for me, is to use the router as gateway and add a route ANY to the ASA :
If it's a Cisco router : ip route 0.0.0.0 0.0.0.0 10.10.10.1
The network 192.168.1.0 will be directly connected and known by the router.
As said erniebeek, just change the gateway on the DHCP server :)
The solution to add a route on the host will work but is not the best ... and you must do the same thing on all your host.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So it is possible but not optimal :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thx for bothhhhhh
You must add a route on the host 10.10.10.2 with the gateway 10.10.10.3 for the destination 192.168.1.2 or set the default gateway 10.10.10.3 on the host 10.0.10.2.