Announcement

Collapse
No announcement yet.

Re-route data to another device on the LAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Re-route data to another device on the LAN

    I have two devices on my LAN:
    1..Cisco ASA5510 firewall
    2..Cisco 871 VPN router

    The 5510 is for internet access and the 871 is for the VPNs between the satellite offices and the local head office. Both have their own SHDSL channel.

    My problem is that the 5510 (192.64.10.212) is the default gateway on my LAN. The 871 (192.64.10.213) is the gateway to the satellite offices (say 192.168.2.xxx).

    When I try to ping 192.168.2.180 in my satellite office, I think the data is going to the 5510 and stopping there.

    How do I configure the 5510 (192.64.10.212) to route all data for the satellite office (192.168.2.xxx) back thru the 871 (192.64.10.213)?

    Both 5510 & 871 are on the same network.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Re-route data to another device on the LAN

    You could put a static route on the 5510

    addr 192.168.2.0 mask 255.255.255.0 gateway 192.64.10.213

    The above is an example. Your network address and mask might be different for all I know.

    EDIT - I just noticed that your two routers have public IPs. What I posted above may not work for you. Could you give a little more information on your topology?
    Last edited by JeremyW; 21st October 2006, 15:39.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Re-route data to another device on the LAN

      Hi There
      You need carrrier( telco) in between to route for you. As I know you have two public ip for two LAN
      In my company we have MPLS , lease line or Frame relay to route. There may be Dynamic DNS or something else I never try yet

      Comment


      • #4
        Re: Re-route data to another device on the LAN

        The 5510 has a public IP and is managed by me. The 871 setsup a VPN b/w the satellite offices and our head office. This device is managed by the ISP.

        I need to setup the static route on the 5510 so that all traffic for 192.168.0.0 255.255.0.0 is routed back thru the 5510's LAN interface and into the 871's LAN interface.

        The VPN of the 871 will then take the data to the relevant satellite office. The VPN works OK, it's just that data for the satellite offices from the head office LAN is being sent to the 5510 instead of the 871.

        Thus the need for the 5510 to re-route the data to the 871's LAN interface.

        Note that I'm using the ASDM GUI to program the 5510.
        |
        +-- JDMils
        |
        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
        |

        Comment


        • #5
          Re: Re-route data to another device on the LAN

          Hi JD,
          I might be missing something very straightforward here from the descriptions you've given- apologies for that.

          Is your topology is like this diagram I've knocked together?

          If so,

          -can you attach your ASA config? (sanitised please!)
          -is your 'core' lan network a private network?
          -are your remote offices also private networks?
          -"When I try to ping 192.168.2.180 in my satellite office, I think the data is going to the 5510 and stopping there." How have you determined this?
          -can you reach any device in the satellite office on any other protocols, or is it just not being seen at all within your network?

          Thanks-

          theterranaut
          Attached Files
          Last edited by theterranaut; 23rd October 2006, 12:36. Reason: Changed jpg

          Comment


          • #6
            Re: Re-route data to another device on the LAN

            Your diagram is spot on. Wrt the configs, I'll have to figure out how to download that (I use a Cisco certified engineer to do the hard yakka stuff). Can I download the settings using the ASDM GUI?

            Our head office LAN is a private network (192.64.10.xxx). Our satellite offices are private networks (192.168.0.xxx, 192.168.1.xxx & 192.168.2.xxx). These are managed by me.

            We had to "bandaid" fix the situation. Both the 5510 (192.64.10.212) & 871 (192.64.10.213) are on the same LAN at head office. We had to put the following route on all the servers to get the setup to work:

            ROUTE ADD 192.168.0.0 MASK 255.255.0.0 192.64.10.213

            This works brilliantly. My problem is that I want the 5510 to do the routing, not the servers. We tried putting the 871 on the DMZ port of the 5510 and setup the 5510 to route traffic to the DMZ port for the satellite offices.

            The Cisco engineer spent around 5 hours trying to get it to work. He says the PIXs would do it OK, but the ASA has some sort of security relationship between its ports that would not allow it to pass traffic to the DMZ port in both directions.

            Stumped!

            He's going to research the situation and get back to me. Here's what we've got-

            |
            +-- JDMils
            |
            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
            |

            Comment


            • #7
              Re: Re-route data to another device on the LAN

              Thanks JD. Interesting. If adding routes to the servers cures the problem then it must be a routing issue (obviously!).
              There is/was a limitation by design on the PIX that I think still pertains to ASA- you cannot send traffic back 'out' of an interface its just arrived from. I think this applies to all interfaces, regardless of security levels- but I believe there's a way of overriding this in 7.x.x, which is what your ASA will be running. I'd have to check and see if this is whats killing things- is the ASA dropping packets coming in from the inside that are re-emerging on the inside?

              (A simple alternative, of course, if the above is the problem, would be to set the 871 as default gateway and add the routes to other destinations in there- a router will definitely not perform any kind of 'drop' as a PIX/ASA might.)

              If not, as all the devices on your LAN have the ASA as their gateway, it should just be a case of adding in the correct routes on the ASA to get this to work.

              If this has not been done yet (not totally clear from your answers, sorry) can you find a method of entering CLI commands into the ASA or just do the following: I recommend just connecting a console cable to the device and to a PC in the standard way and running Hyperterminal with the correct settings (if your stuck on this let us know and we'll give you a blow by blow.) Apologies if you know all of this stuff already.

              From the console:
              -enter the login password (if set), then return
              -and then type show route

              The ASA should then spit out the routes it knows about- can you cut, paste and post them here please?

              Thanks

              theterranaut
              Last edited by theterranaut; 24th October 2006, 09:48.

              Comment


              • #8
                Re: Re-route data to another device on the LAN

                Hi JD,

                I've just checked this out.

                PIX os 6.x would not allow traffic to enter, then leave the same interface.
                PIX/ASA 7.x can, by issuing the 'same-security-traffic permit intra-interface' command.
                I've tried this on a chopped-down version of your environment. Unfortunately, it did not work, even after adding the appropriate routes on the ASA. This could be a misconfiguration by me; I've posted a message on the Cisco Netpro forum asking for a sense-check on this.

                Anyway:
                This definitely feels like routing. If you think of it, even if the ASA is redirecting traffic to a different gateway on the LAN (your 827), the local device is still using the ASA as gateway and is expecting the traffic to return from it. Unless the ASA somehow 'proxies' this traffic back, I can't get it to return.

                As you've noted, adding explicit routes to the LAN device works fine; the host can now see the remote device without problem.

                I'm still thinking about this one, but my gut feeling is that the 827 could be a better bet as gateway.

                Anyone else have any ideas?

                theterranaut

                Comment


                • #9
                  Re: Re-route data to another device on the LAN

                  Hello to All,

                  I respect the work that the other posters have done on this. I agree- if adding a static route fixed the issue then it must be a routing issue. Here is a general question I have-

                  Why not configure routing protocols between the ASA and the 871? That way, each would know what networks the other device has and would route traffic between them automatically? You could use OSPF or RIP as I believe both support this.

                  Thanks,
                  David
                  David Davis - Petri Forums Moderator & Video Training Author
                  Train Signal - The Global Leader in IT Video Training
                  TrainSignalTraining.com - Free IT Training Products
                  Personal Websites: HappyRouter.com & VMwareVideos.com

                  Comment


                  • #10
                    Re: Re-route data to another device on the LAN

                    Thanks theterranaut & David.

                    One option we tried was to put the 871 on the DMZ port and have the ASA route ALL the traffic using defined rules.

                    My Cisco engineer couldn't get this to work, tho, as (from memory) he said it was a security-level related problem between the interfaces. Other than that, it should have worked!

                    I will forward your comments to him and see what he says.
                    |
                    +-- JDMils
                    |
                    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                    |

                    Comment


                    • #11
                      Re: Re-route data to another device on the LAN

                      Hi JD, David;

                      I think (IMHO) putting the 827 in the DMZ would involve unnecessary hassle, (I'm thinking about the potential rulebase here) and, if you don't mind me saying so, a bit odd: the 827 is already on your local LAN, and, if it was going to be compromised, is in a prime place to be 'got at'. As long as the 827 is only 'listening' for vpn traffic on its WAN side and dropping everything else then it should be safe enough

                      I would seriously consider the following:
                      Option 1:
                      consider setting up the 827 as default gateway for all devices. It is a router, after all, and will happily route packets all the live long day. The 5510, while its a capable device, is a firewall, and every additoional load on its CPU diverts it from what its designed to do. This could be as easy as setting up static routes to the remote 'vpn-connected' LANs via the 827's next hop, and a default route to the ASA. This should cover your routing needs nicely.

                      Option 2:
                      Isn't there the possibility of ditching the 827 completely as a vpn gateway? The ASA can cope with this kind of thing with ease. Admittedly you've got what I think from your diagram is point-to-point wireless connecting some of your remote sites,
                      (I'm a bit fuzzy on your WAN on that side- does it then come in to you on SDSL??) but a single device with a single public IP terminating on it, such as the ASA, will run any number of tunnels as long as the cryptomap is set up correctly.

                      Sorry I've not been able to be a bit more positive. The feedback I got for the "same-security-traffic permit intra-interface" command told me that the ASA should reroute traffic back into the LAN when needed. I think this part works okay, but gets borked somewhere else a bit further along. End result is the same: device doesn't see packet.

                      David- good shout re: routing protocols. I wonder, though, that with an environment as static as JD's you would significantly benefit from the overhead in configuring them? I guess if JD needed some redundancy a bit later on then this could definitely help.

                      cheers all-

                      theterranaut

                      Comment


                      • #12
                        Re: Re-route data to another device on the LAN

                        Hi there, I'm not sure whether you have figured out the problem. I had a similar situation. Here are the steps I did to forward my WAN traffic to another router:

                        route inside 192.168.2.0 255.255.255.0 192.168.10.213 1
                        global (inside) XXX interface


                        XXX = The global pool number you use for setting up the inside NAT

                        My understanding is by adding the port address translation on your inside interface will allow your 192.168.10.0 traffic to go in and out of the inside interface. This will only work if your forwarded router is in the same subnet as your inside interface. For you case, it is the same.

                        I have been able to use my ASA as the default gateway and route my WAN traffic to another router by putting this PAT command.

                        Cheers...

                        Comment

                        Working...
                        X