Re-route data to another device on the LAN

Home Forums Networking Cisco Routers & Switches How-to Re-route data to another device on the LAN

This topic contains 11 replies, has 6 voices, and was last updated by Avatar anon10f1 13 years, 2 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • Avatar
    JDMils
    Member
    #116986

    I have two devices on my LAN:
    1..Cisco ASA5510 firewall
    2..Cisco 871 VPN router

    The 5510 is for internet access and the 871 is for the VPNs between the satellite offices and the local head office. Both have their own SHDSL channel.

    My problem is that the 5510 (192.64.10.212) is the default gateway on my LAN. The 871 (192.64.10.213) is the gateway to the satellite offices (say 192.168.2.xxx).

    When I try to ping 192.168.2.180 in my satellite office, I think the data is going to the 5510 and stopping there.

    How do I configure the 5510 (192.64.10.212) to route all data for the satellite office (192.168.2.xxx) back thru the 871 (192.64.10.213)?

    Both 5510 & 871 are on the same network.

    JeremyW
    JeremyW
    Moderator
    #267911

    Re: Re-route data to another device on the LAN

    You could put a static route on the 5510

    addr 192.168.2.0 mask 255.255.255.0 gateway 192.64.10.213

    The above is an example. Your network address and mask might be different for all I know. ;)

    EDIT – I just noticed that your two routers have public IPs. What I posted above may not work for you. Could you give a little more information on your topology?

    Avatar
    aitymo
    Member
    #252279

    Re: Re-route data to another device on the LAN

    Hi There
    You need carrrier( telco) in between to route for you. As I know you have two public ip for two LAN
    In my company we have MPLS , lease line or Frame relay to route. There may be Dynamic DNS or something else I never try yet

    Avatar
    JDMils
    Member
    #250579

    Re: Re-route data to another device on the LAN

    The 5510 has a public IP and is managed by me. The 871 setsup a VPN b/w the satellite offices and our head office. This device is managed by the ISP.

    I need to setup the static route on the 5510 so that all traffic for 192.168.0.0 255.255.0.0 is routed back thru the 5510’s LAN interface and into the 871’s LAN interface.

    The VPN of the 871 will then take the data to the relevant satellite office. The VPN works OK, it’s just that data for the satellite offices from the head office LAN is being sent to the 5510 instead of the 871.

    Thus the need for the 5510 to re-route the data to the 871’s LAN interface.

    Note that I’m using the ASDM GUI to program the 5510.

    Avatar
    theterranaut
    Member
    #285799

    Re: Re-route data to another device on the LAN

    Hi JD,
    I might be missing something very straightforward here from the descriptions you’ve given- apologies for that.

    Is your topology is like this diagram I’ve knocked together?

    If so,

    -can you attach your ASA config? (sanitised please!)
    -is your ‘core’ lan network a private network?
    -are your remote offices also private networks?
    -“When I try to ping 192.168.2.180 in my satellite office, I think the data is going to the 5510 and stopping there.” How have you determined this?
    -can you reach any device in the satellite office on any other protocols, or is it just not being seen at all within your network?

    Thanks-

    theterranaut

    Avatar
    JDMils
    Member
    #250580

    Re: Re-route data to another device on the LAN

    Your diagram is spot on. Wrt the configs, I’ll have to figure out how to download that (I use a Cisco certified engineer to do the hard yakka stuff). Can I download the settings using the ASDM GUI?

    Our head office LAN is a private network (192.64.10.xxx). Our satellite offices are private networks (192.168.0.xxx, 192.168.1.xxx & 192.168.2.xxx). These are managed by me.

    We had to “bandaid” fix the situation. Both the 5510 (192.64.10.212) & 871 (192.64.10.213) are on the same LAN at head office. We had to put the following route on all the servers to get the setup to work:

    ROUTE ADD 192.168.0.0 MASK 255.255.0.0 192.64.10.213

    This works brilliantly. My problem is that I want the 5510 to do the routing, not the servers. We tried putting the 871 on the DMZ port of the 5510 and setup the 5510 to route traffic to the DMZ port for the satellite offices.

    The Cisco engineer spent around 5 hours trying to get it to work. He says the PIXs would do it OK, but the ASA has some sort of security relationship between its ports that would not allow it to pass traffic to the DMZ port in both directions.

    Stumped!

    He’s going to research the situation and get back to me. Here’s what we’ve got-

    jlg_network_diagram.jpg

    Avatar
    theterranaut
    Member
    #285800

    Re: Re-route data to another device on the LAN

    Thanks JD. Interesting. If adding routes to the servers cures the problem then it must be a routing issue (obviously!).
    There is/was a limitation by design on the PIX that I think still pertains to ASA- you cannot send traffic back ‘out’ of an interface its just arrived from. I think this applies to all interfaces, regardless of security levels- but I believe there’s a way of overriding this in 7.x.x, which is what your ASA will be running. I’d have to check and see if this is whats killing things- is the ASA dropping packets coming in from the inside that are re-emerging on the inside?

    (A simple alternative, of course, if the above is the problem, would be to set the 871 as default gateway and add the routes to other destinations in there- a router will definitely not perform any kind of ‘drop’ as a PIX/ASA might.)

    If not, as all the devices on your LAN have the ASA as their gateway, it should just be a case of adding in the correct routes on the ASA to get this to work.

    If this has not been done yet (not totally clear from your answers, sorry) can you find a method of entering CLI commands into the ASA or just do the following: I recommend just connecting a console cable to the device and to a PC in the standard way and running Hyperterminal with the correct settings (if your stuck on this let us know and we’ll give you a blow by blow.) Apologies if you know all of this stuff already.

    From the console:
    -enter the login password (if set), then return
    -and then type show route

    The ASA should then spit out the routes it knows about- can you cut, paste and post them here please?

    Thanks

    theterranaut

    Avatar
    theterranaut
    Member
    #285802

    Re: Re-route data to another device on the LAN

    Hi JD,

    I’ve just checked this out.

    PIX os 6.x would not allow traffic to enter, then leave the same interface.
    PIX/ASA 7.x can, by issuing the ‘same-security-traffic permit intra-interface’ command.
    I’ve tried this on a chopped-down version of your environment. Unfortunately, it did not work, even after adding the appropriate routes on the ASA. This could be a misconfiguration by me; I’ve posted a message on the Cisco Netpro forum asking for a sense-check on this.

    Anyway:
    This definitely feels like routing. If you think of it, even if the ASA is redirecting traffic to a different gateway on the LAN (your 827), the local device is still using the ASA as gateway and is expecting the traffic to return from it. Unless the ASA somehow ‘proxies’ this traffic back, I can’t get it to return.

    As you’ve noted, adding explicit routes to the LAN device works fine; the host can now see the remote device without problem.

    I’m still thinking about this one, but my gut feeling is that the 827 could be a better bet as gateway.

    Anyone else have any ideas?

    theterranaut

    Avatar
    daviddavis
    Member
    #263629

    Re: Re-route data to another device on the LAN

    Hello to All,

    I respect the work that the other posters have done on this. I agree- if adding a static route fixed the issue then it must be a routing issue. Here is a general question I have-

    Why not configure routing protocols between the ASA and the 871? That way, each would know what networks the other device has and would route traffic between them automatically? You could use OSPF or RIP as I believe both support this.

    Thanks,
    David

    Avatar
    JDMils
    Member
    #250581

    Re: Re-route data to another device on the LAN

    Thanks theterranaut & David.

    One option we tried was to put the 871 on the DMZ port and have the ASA route ALL the traffic using defined rules.

    My Cisco engineer couldn’t get this to work, tho, as (from memory) he said it was a security-level related problem between the interfaces. Other than that, it should have worked!

    I will forward your comments to him and see what he says.

    Avatar
    theterranaut
    Member
    #285803

    Re: Re-route data to another device on the LAN

    Hi JD, David;

    I think (IMHO) putting the 827 in the DMZ would involve unnecessary hassle, (I’m thinking about the potential rulebase here) and, if you don’t mind me saying so, a bit odd: the 827 is already on your local LAN, and, if it was going to be compromised, is in a prime place to be ‘got at’. As long as the 827 is only ‘listening’ for vpn traffic on its WAN side and dropping everything else then it should be safe enough

    I would seriously consider the following:
    Option 1:
    consider setting up the 827 as default gateway for all devices. It is a router, after all, and will happily route packets all the live long day. The 5510, while its a capable device, is a firewall, and every additoional load on its CPU diverts it from what its designed to do. This could be as easy as setting up static routes to the remote ‘vpn-connected’ LANs via the 827’s next hop, and a default route to the ASA. This should cover your routing needs nicely.

    Option 2:
    Isn’t there the possibility of ditching the 827 completely as a vpn gateway? The ASA can cope with this kind of thing with ease. Admittedly you’ve got what I think from your diagram is point-to-point wireless connecting some of your remote sites,
    (I’m a bit fuzzy on your WAN on that side- does it then come in to you on SDSL??) but a single device with a single public IP terminating on it, such as the ASA, will run any number of tunnels as long as the cryptomap is set up correctly.

    Sorry I’ve not been able to be a bit more positive. The feedback I got for the “same-security-traffic permit intra-interface” command told me that the ASA should reroute traffic back into the LAN when needed. I think this part works okay, but gets borked somewhere else a bit further along. End result is the same: device doesn’t see packet. :(

    David- good shout re: routing protocols. I wonder, though, that with an environment as static as JD’s you would significantly benefit from the overhead in configuring them? I guess if JD needed some redundancy a bit later on then this could definitely help.

    cheers all-

    theterranaut

    Avatar
    anon10f1
    Member
    #291914

    Re: Re-route data to another device on the LAN

    Hi there, I’m not sure whether you have figured out the problem. I had a similar situation. Here are the steps I did to forward my WAN traffic to another router:

    route inside 192.168.2.0 255.255.255.0 192.168.10.213 1
    global (inside) XXX interface

    XXX = The global pool number you use for setting up the inside NAT

    My understanding is by adding the port address translation on your inside interface will allow your 192.168.10.0 traffic to go in and out of the inside interface. This will only work if your forwarded router is in the same subnet as your inside interface. For you case, it is the same.

    I have been able to use my ASA as the default gateway and route my WAN traffic to another router by putting this PAT command. :grin:

    Cheers…

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.