Cisco ASA: Routing packets based on where the connections started from

We have a Cisco ASA 5505 (version 8.2(2)) with three interfaces:

outside: IP address 11.11.11.11, this is the default route
inside: IP address 10.1.1.1, this is the local subnet
newlink: 22.22.22.22, this is a new internet connection.

We need to move VPN users from the 11.11.11.11 address to the 22.22.22.22 address, and we're using SSH on the ASA as to test and sort out the routing.

The problem we have is this:

If we define a particular IP as being on a static route out the newlink interface then it can SSH to 22.22.22.22 fine.
If we do not define a static route then the traffic hits the ASA, but the return traffic does not come back over newlink; presumably it gets sent over the outside interfcae as that is the default route.
We can't define a static route for each remote endpoint because there are dialup VPN users, who obviously change IP a lot

What we need to do is configure the ASA so if a connection comes in on the newlink interface then the outgoing packets for that go over the newlink interface, not the default route. With iptables this should be do-able by marking the connection and doing mark-routing, but what is the equivalent for a Cisco ASA?

Best Answer

As I see, this question is 3-years old, but I decided to put an answer as it might be useful to someone who visit this page, some day.

This question is about PBR (policy-based routing), also known as routing based on source address. The thing is, this stuff is "officially" not supported by the ASA. BUT, there's a trick with NAT that can be used to achieve similar results. It's called Identity NAT, also know as same-address translation.

In this case this would look like this:

sysopt noproxyarp newlink

static (newlink,newlink) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

This is saying: when ANY IP (0.0.0.0/0) comes on interface newlink, put it back on interface newlink while translating it to itself (0.0.0.0). So no NAT really happens but we are saying what will be the output interface. This routing table override is happening because when using identity NAT, the NAT process does some partial routing based on the "translated" interface. The sysopt noproxyarp newlink command is needed, because otherwise the ASA will start reposponding to ARP requests (proxy-ARP) for any destination address arriving the "newlink" interface. All of this is pre-8.3 ASA OS syntax.

Post-8.3 syntax is like this:

nat (newlink,newlink) source static any any

Best Answer

Related Solutions

Cisco ASA – NATing internal -> internal IP for users on a VPN

Firewall – Cisco ASA: Multiple static IPs on a single interface

Related Topic