I should probably start by explaining the topography, we have two different internet connection with separate firewalls.One is an asa and one is a meraki, the default gateway for all the servers behind the firewalls is the ASA (10.100.200.1). The problem I am having is that we have a site to site on the meraki (10.100.200.2) and the traffic destined for the subnet(192.168.100.0) on the other side of the site to site can't find its way because it is trying to go through the asa's default gateway(10.100.200.1). If I set a static route on the server that is trying to send traffic to the subnet(192.168.100.0) to use the meraki's default gateway(10.100.200.2) it works. How do a set a static route on the asa so that any traffic that comes through the meraki uses the meraki's default gateway to get out?
-
Where is the Meraki in relation to the ASA? Is it connected to one of the interfaces? – jimbobmcgee Mar 16 '16 at 20:59
2 Answers
An ASA is a low end gear for Cisco, as such this firewall does not support ICMP redirect. Thus, you can't with the ASA.
You will have to set some GPO, or such alternative method to force the route, or upgrade the firewall for a true router.
The way it work is when the router see that the computer need to use another gateway, the router send the icmp redirect to the computer, to advertise the route to the correct router/firewall. The computer after continue to use that route.
- 16,758
- 4
- 29
- 50
-
@llerdal Do a route print from those machine and compare. A route add /p would be persistant on the computer. As the limitation exist, but I have no clue if some workaround was done. – yagmoth555 Mar 05 '16 at 23:18
-
@llerdal finally did you compared the route print output on each side ? as like I told you can set some gpo or such to bypass the problem if you don't intend to change the network gear. (like illustrated there in example; http://serverfault.com/questions/556288/adding-static-route-through-group-policy) – yagmoth555 Mar 07 '16 at 15:27
-
Yes I determined that the solution for now is to put a static route on the servers to the destination thru the meraki default gateway skipping the Asa completely. It was dropping the tcp traffic due to never receiving the syn packet. Permenent solution is a layer 3 switch. – MagicL Mar 07 '16 at 20:49
Here is the command to create a route on an ASA that points all the 192.168.100.x traffic to the Meraki:
route inside 192.168.100.0 255.255.255.0 10.100.200.2
Here is the config guide from Cisco: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ip.html#wp1047894
- 1,710
- 7
- 12
-
Its not that easy, that will work for icmp and udp traffic. But tcp needs the 3 way handshake, so when the client sends the syn packet it goes directly to the server and doesn't go through the ASA. The server then sends the syn-ack packet to the servers default gateway which is the ASA but the ASA never received the syn packet so it drops the syn-ack packet. Thus the tcp connection cannot be made. – MagicL Mar 07 '16 at 04:52
-
Well, you could try having the Meraki send all traffic destined to 10.100.200.x to the ASA: Setup the internal interface on the Meraki with a subnet mask of 255.255.255.252. That will give you a subnet with the .1 and .2 as the only two hosts. Also, set the routing on the Meraki to the .1 address of the ASA. This is pretty messy... A better option for you may be to add a "classless static route" in your DHCP scope. This is just a check box under Scope Options if you are using Windows Server for DHCP. Then all your DHCP clients will route correctly. Of course, this won't work for static IPs. – Dre Mar 07 '16 at 17:13