Apr 1, 2011

Routing non-contiguous subnets on ASA (without VLSM)

How to route traffic between the wireless LAN and the internal 10.20.20.0/24 network without using VLSM?


The wireless router translates the network 192.168.0.0/24 to 10.20.20.100 then forwards the traffic to the firewall. The gateway IP address set on this router is 10.20.20.254. However, the firewall has an interface named wlan and IP address 172.16.0.1 (MAC address: 00aa.0091.9e02). So it is not possible to have traffic from the wireless router to the firewall. That's wrong!

The firewall has a static route to the internal network 10.20.20.0/24, so we cannot assign an IP address of this range to the wlan interface without using VLSM. The solution is Proxy ARP:

no sysopt noproxyarp guest
arp guest 10.20.20.254 00aa.0091.9e02 alias
route inside 10.20.20.0 255.255.255.0 10.10.10.254 1
route guest 10.20.20.100 255.255.255.255 10.20.20.100 1

When the wireless router tries to reach 10.20.20.0/24 using the gateway 10.20.20.254, the firewall replies to the ARP request with its MAC address. We just need layer 2 connectivity between these devices, thus everything works fine.

Now we just have to implement some NATs and ACLs to allow traffic from wlan to inside, and have some fun.

WL-Router#sh arp | i 10.20.20.254
Internet  10.20.20.254           38   00aa.0091.9e02  ARPA   Ethernet1/0

WL-Router#ping 10.20.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/52/92 ms

The firewall replies ARP requests, but forwards echo requests to 10.20.20.254:

arp-in: request at guest from 10.20.20.100 cc01.0a44.0010 for 10.20.20.254 0000.0000.0000
arp-in: rqst for me from 10.20.20.100 for 10.20.20.254, on guest
arp-set: added arp guest 10.20.20.100 cc01.0a44.0010 and updating NPs at 3051950
arp-in: generating reply from 10.20.20.254 00aa.0091.9e02 to 10.20.20.100 cc01.0a44.0010


ICMP echo request from guest:10.20.20.100 to inside:10.20.20.254 ID=10 seq=0 len=72
ICMP echo reply from inside:10.20.20.254 to guest:10.20.20.100 ID=10 seq=0 len=72


asa(config)# end
asa# wr mem

No comments:

Post a Comment