Apr 1, 2011

Routing non-contiguous subnets on ASA (without VLSM)

How to route traffic between the wireless LAN and the internal network without using VLSM?

The wireless router translates the network to then forwards the traffic to the firewall. The gateway IP address set on this router is However, the firewall has an interface named wlan and IP address (MAC address: 00aa.0091.9e02). So it is not possible to have traffic from the wireless router to the firewall. That's wrong!

The firewall has a static route to the internal network, so we cannot assign an IP address of this range to the wlan interface without using VLSM. The solution is Proxy ARP:

no sysopt noproxyarp guest
arp guest 00aa.0091.9e02 alias
route inside 1
route guest 1

When the wireless router tries to reach using the gateway, the firewall replies to the ARP request with its MAC address. We just need layer 2 connectivity between these devices, thus everything works fine.

Now we just have to implement some NATs and ACLs to allow traffic from wlan to inside, and have some fun.

WL-Router#sh arp | i
Internet           38   00aa.0091.9e02  ARPA   Ethernet1/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/52/92 ms

The firewall replies ARP requests, but forwards echo requests to

arp-in: request at guest from cc01.0a44.0010 for 0000.0000.0000
arp-in: rqst for me from for, on guest
arp-set: added arp guest cc01.0a44.0010 and updating NPs at 3051950
arp-in: generating reply from 00aa.0091.9e02 to cc01.0a44.0010

ICMP echo request from guest: to inside: ID=10 seq=0 len=72
ICMP echo reply from inside: to guest: ID=10 seq=0 len=72

asa(config)# end
asa# wr mem

No comments:

Post a Comment