This is a real world scenario where I needed to route traffic from a private subnet via secondary router when a particular set of servers on a secure external network needed to be accessed.All three VLANs on the ASA were private subnets so NAT had been configured to allow traffic to be routed correctly.
!
object network inside_network_subnet
subnet 10.0.30.0 255.255.255.0
object network dmz_network_subnet
subnet 10.0.20.0 255.255.255.0
!
nat (inside,outside) source dynamic inside_network_subnet interface
nat (dmz,outside) source dynamic dmz_network_subnet interface
!
route outside 0.0.0.0 0.0.0.0 10.0.10.2 1
!
To make this work without configuring the routes on each PC behind the ASA we need to configure TWICE-NAT to match packets attempting to access the secure network and NAT them to the DMZ interface. From there a route is configured on the DMZ interface to route these packets to the secure network router.
!
object network secure_network
subnet 10.1.1.2 255.255.255.0
!
nat (inside,dmz) source dynamic inside_network_subnet interface destination static secure_network secure_network
!
route dmz 10.1.1.2 255.255.255.0 10.0.20.2 1
!
Leave a Reply