ASA 5510 Route Question
- From: "Barry Lance" <noone@xxxxxxxxxxx>
- Date: Wed, 09 Nov 2005 15:57:09 GMT
Hub Hardware: Cisco ASA 5510, Software version 7.0(2)
Spoke Hardware: Pix 501, Version 6.x / 1600 Version 12.x
I'm currently in process of upgrading my classic PIX 520 to the new ASA 5500
platform. The last week has been slowly working through config changes, but
I'm almost complete. However, not only am I tossing in a hardware change,
but a provider change as well. Currently we have a single managed T1 for
internet access. However, through a deal with a different provider (who
just bought out our current provider), we are having 2 managed T1's
installed for internet access at 50% of the cost. I specifically requested
that these two T1's be kept seperate. My thought process was that I would
dedicate one T1 to strictly carry VPN traffic, while the other handles all
other internet traffic. By doing this, I hope to eliminate congestion to my
spoke VPN sites due to excessive internet traffic. With 4 interfaces
available, I have enough connections to make it all work.
However, here is where my problem that arrises when I use more than two
interfaces on the device. I take one interface (call it INET) and assign
security 0 and NAT to it for outbound traffic to the internet. The other
interface (called VPN) has no nat, but a crypto map assigned to it.
Currently, traffic is passing through each interface, just not both at the
same time. If I assign a static route for the INET interface, nat traffic
passes fine, but VPN traffic fails with no route to network. The opposite
occurs when I assign the default route to the VPN interface.
So my question is what is the "proper" way of handling this? Let's say the
hub network is 192.168.1.0/24 and each spoke is assigned a class C of
192.168.2.0/24-192.168.128.0/24. Some of these spokes are static addresses
so I can initiate the tunnel from either direction, but others are only
remotely initiated (dynamic map) from the spoke site due to them having a
dynamic address. We're not using all those subnets, but that's what I have
set asside for future growth. Should I, as part of configuring VPN
connectivity for each site, assign a static route for 192.168.X.0/24 to
point out the VPN interface on the 5500? This idea, while it should work,
wouldn't seem to scale well as the number of spokes increases. I haven't
seen anywhere in the PIX/ASA doc that allows for policy based routing. Is
there some other way that I can configure traffic for these spokes to pass
out the VPN interface rather than the INET interrface? Simply assigning a
crypto map to the VPN interfaces doesn't seem to trigger the device to make
this decision intelligently and I'd like to avoid static routes, if
possible.
Thanks,
Barry Lance
.
- Follow-Ups:
- Re: ASA 5510 Route Question
- From: AM
- Re: ASA 5510 Route Question
- Prev by Date: Re: Enabling Failover on Primary PIX goes standby.
- Next by Date: Re: Microsoft Windows XP VPN and Cisco PIX 501
- Previous by thread: Bridging a Cisco SOHO 96
- Next by thread: Re: ASA 5510 Route Question
- Index(es):
Relevant Pages
|
