Trouble adding a Static Route



  • Hello!  I'm somewhat new to pfSense (been testing it for about 6 months and just went live in production) and I am having trouble adding a static route to resolve an issue.  Long story short, we have a legacy Cisco ASA still connected for VPN purposes behind the pfSense firewall and the only issue we have is that when remote access VPN clients are connected through the ASA and are communicating with computers/servers on the LAN, the LAN computers/servers send their replies to their default gateway (pfSense) which does not know to forward the packets to the Cisco ASA's LAN port/IP.

    I've been able to work around the issue on a few key servers by adding a static route in Windows that tells it to send traffic destined for IP addresses that the Cisco ASA is assigning to VPN clients back to the Cisco ASA (instead of the pfSense box) but it would be much more useful to have the pfSense box relay the packets destined for those IP addresses to the Cisco ASA.  When I try, pfSense tells me that it cannot create a static route because the gateway address does not match the destination network (and it's correct- the gateway address for the Cisco ASA is a LAN address and the VPN address pool is completely different but the Cisco ASA is able to receive packets for the VPN addresses and route them through the tunnel).

    So in other words, Windows let's me create a static route even though the gateway is not in the same address space, why can't pfSense?



  • @MDCole9761:

    When I try, pfSense tells me that it cannot create a static route because the gateway address does not match the destination network (and it's correct- the gateway address for the Cisco ASA is a LAN address and the VPN address pool is completely different but the Cisco ASA is able to receive packets for the VPN addresses and route them through the tunnel).

    The VPN address pool have not to be in the same address space than an interface subnet, just the gateway.

    You say, pfSense is connected to LAN and the Cisco ASA is connected to pfSense. So the ASA will have an IP in a subnet of the pfSenses interface it is connected to. This IP you have to enter for the new gateway address. Then you can use this gateway for a new static route in pfSense to the VPN tunnel.



  • Thank you @viragomann for the response- although it it helps a little, my problem still remains that I am able to tell Windows clients to route packet destined to for one subnet to a gateway on a different subnet, but I can't do the same in pfSense.

    Here's an example:

    Remote Client–->Internet--->pfSense (default gateway)----->Cisco ASA---->LAN
                                                      |
                                                      |------------------------------------------------>LAN

    Let's say the LAN net = 192.10.10.0/24
    pfSense LAN IP = 192.10.10.254
    Cisco ASA LAN IP = 192.10.10.253

    Cisco VPN address net (addresses assigned to VPN clients when they connect = 192.168.9.0/24

    Naturally, packets sent from VPN clients to LAN computers have a reply-to address in the 192.168.9.0/24 range.  But the LAN computers have their default gateway set via DHCP (or statically for things like servers) to that of the pfSense box (192.10.10.254).  So any replies from LAN computers are going to the pfSense box and not the Cisco ASA (therefore, never ending up back in the tunnel).  I can tell the Windows computers via a simple CLI command to add a persistent static route that directs all outbound packets destined for the VPN tunnel clients (192.168.9.0/24) to 192.10.10.253 (instead of the default gateway) so that the Cisco ASA can route them through the tunnel.

    So the question remains, why can't I tell the pfSense box "Hey, if you get a packet destined for 192.168.9.0/24, send it to 192.10.10.253"?  Or, if it can be done, how do I do it?

    Thank you for any help you can offer,



  • I've even tested this behaviour in my network at pfSense.
    I've added a gateway:
    Interface=LAN
    Name=GW2
    Gateway=an IP of a LAN-host (LANHost_IP)

    Then I added a route:
    Destination network=10.10.1.0/24 (which is unknown at LAN hosts, so requests are directed to default gateway/pfSense)
    Gateway=GW2

    After I've tried a ping at a host in LAN to 10.10.1.52 and viewed the traffic with packet capture. The packets were correctly redirected from my pfSense (default gateway) to the LANHost_IP and were seen at it's interface.
    Why doesn't that work in your setup?

    In your new gateway you have entered the ASA LAN IP, 192.10.10.253, following your lead? And you've selected LAN interface there?

    Another way to get it work, is to set up masquerading on Cisco ASA for the tunnel network to translate the VPN IP to LAN-IP at its LAN interface. In pfSense this is called Outbound NAT, but mostly it's known as masquerading. But I don't know how to do this at Cisco.



  • Thanks again @viragomann- I think I've finally got it!

    I already had the gateway entered in pfSense with the LAN address but the piece I was missing was that the pfSense box had to have a virtual IP on the LAN interface that was within the 192.168.9.0/24 range in order for it to accept the static route.  After adding the virtual IP, I was able to add the static route and it looks like clients can ping LAN computers and receive the proper reply!

    Thanks for all your help!


Log in to reply