thread557-1456901
My Tunneled Default Gateway (TDG)on my PIX running 8.04 is working as expected with one exception.My problem has to do with encrypted traffic with a destination of 206.125.125.0/24 not taking the TDG due to a learned route.In turn encrypted traffic destined for 206.125.125.0/24 is trying to go out of the ASA outside interface since the outside interface is defined within 206.125.125.0/24. This learned route problem is being caused by my ASA outside interface having an IP within 206.125.125.0/24. It is looking like I will need to create individual route statements for IPs 206.125.125.2 thru .249 and .251 thru .253. I had to skip .250 since it lives on the ASA outside interface. I ommited .1 since it is the default gateway of the firewall.
!
interface Ethernet0
nameif outside
security-level 0
ip address 206.125.125.250 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 206.125.125.1 1
route outside 10.20.185.0 255.255.255.0 206.125.125.1 1
route outside 10.20.195.0 255.255.255.0 206.125.125.1 1
route inside 0.0.0.0 0.0.0.0 10.100.100.254 tunneled
!
I would like to avoid putting all of the individual route on the firewall...looking for any suggestions.
According to this statement taken from the URL below it is this learned route that is keeping all encrypted traffic destined for 206.125.125.0/24 from taking the TDG and sending it out of the ASA outside interface.
"You can define a separate default route for tunneled traffic along with the standard default route. Unencrypted traffic received by the ASA, for which there is no static or learned route, is routed through the standard default route. Encrypted traffic received by the ASA, for which there is no static or learned route, will be passed to the DTG defined through the tunneled default route."
My Tunneled Default Gateway (TDG)on my PIX running 8.04 is working as expected with one exception.My problem has to do with encrypted traffic with a destination of 206.125.125.0/24 not taking the TDG due to a learned route.In turn encrypted traffic destined for 206.125.125.0/24 is trying to go out of the ASA outside interface since the outside interface is defined within 206.125.125.0/24. This learned route problem is being caused by my ASA outside interface having an IP within 206.125.125.0/24. It is looking like I will need to create individual route statements for IPs 206.125.125.2 thru .249 and .251 thru .253. I had to skip .250 since it lives on the ASA outside interface. I ommited .1 since it is the default gateway of the firewall.
!
interface Ethernet0
nameif outside
security-level 0
ip address 206.125.125.250 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 206.125.125.1 1
route outside 10.20.185.0 255.255.255.0 206.125.125.1 1
route outside 10.20.195.0 255.255.255.0 206.125.125.1 1
route inside 0.0.0.0 0.0.0.0 10.100.100.254 tunneled
!
I would like to avoid putting all of the individual route on the firewall...looking for any suggestions.
According to this statement taken from the URL below it is this learned route that is keeping all encrypted traffic destined for 206.125.125.0/24 from taking the TDG and sending it out of the ASA outside interface.
"You can define a separate default route for tunneled traffic along with the standard default route. Unencrypted traffic received by the ASA, for which there is no static or learned route, is routed through the standard default route. Encrypted traffic received by the ASA, for which there is no static or learned route, will be passed to the DTG defined through the tunneled default route."
