06-19-2008 11:42 AM - edited 03-03-2019 10:25 PM
I want to know if its possible to do this.
I have the following network setup
ASA 5520 ---> Cisco 2801 ----> T1
I want to add an addtional internet subnet. These will have a different IP range. I dont need to load balance i just want to route all traffic thru the new connection and have it come back thru the same pipe. so that it looks like this.
ASA 5520 --> Cisco 2801 --> T1
--> New pipe.
Thanks
06-19-2008 11:47 AM
Hi,
you use Policy Based Routing for this. Route based on source address to he new pipe. Look in the configuration guide (any version) and come back if you've any questions.
Hope this helps, please rate pos if it does!
06-19-2008 11:50 AM
how would this work with NAT on the ASA? I guess i dont understand PBR and NAT
06-19-2008 12:57 PM
NAT on the ASA is fine, alternatively the router could do NAT, that is often necessary when load-balancing.
PBR will set next-hop or interface based on source address or any other criteria, and there are no interdependencies.
As an appreciation to those providing answers, please rate useful posts with the scrollbox below!
06-19-2008 01:58 PM
will PBR work even with different subnets? Such as routing 168.44.x.x over a 24.26.x.x network?
I guess i am confused how does it find its way back correctly?
06-19-2008 02:24 PM
Yes, it works with subnets as desired.
Once the packet is sent out with the correct source address on the correct interface, it will come back also correctly.
Please remember to rate useful posts.
07-01-2008 10:22 AM
Ok i got the second internet connection installed. I am not using nat but still having problem using a route-map to route traffic from my firewall thru our edge router. here is my router config.
I can ping out the interface but can not use web
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip domain name brazos.org
!
username admin privilege 15 password xxx
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description LAN$ETH-LAN$$FW_INSIDE$
ip address 168.44.102.x 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip route-cache flow
no ip mroute-cache
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description Timewarner Business Class
mac-address 0015.c5ce.fdf6
ip address 97.77.30.x 255.255.255.252
ip nbar protocol-discovery
no ip mroute-cache
speed auto
full-duplex
no mop enabled
!
interface Serial0/1/0
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
encapsulation frame-relay
no ip route-cache cef
no ip route-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay traffic-shaping
frame-relay lmi-type cisco
!
interface Serial0/1/0.1 point-to-point
description Internet Connection DIR$FW_OUTSIDE$
bandwidth 1536
ip address 168.39.7.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
no ip route-cache
frame-relay class cisco
frame-relay interface-dlci 17 IETF
!
interface Serial0/2/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
service-module t1 timeslots 1-24
frame-relay traffic-shaping
frame-relay lmi-type cisco
!
interface Serial0/2/0.1 point-to-point
bandwidth 1536
ip address 168.39.7.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
no ip route-cache
no ip mroute-cache
shutdown
no cdp enable
frame-relay class cisco
frame-relay interface-dlci 16
!
ip route 0.0.0.0 0.0.0.0 168.39.7.x
ip flow-export source FastEthernet0/1
ip flow-export version 9
ip flow-export destination 168.44.102.x 9996
!
ip http server
ip http access-class 91
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
map-class frame-relay cisco
frame-relay cir 1536000
frame-relay bc 15360
frame-relay mincir 1536000
access-list 91 permit 168.44.102.x
access-list 91 permit 168.44.102.x
access-list 91 permit 168.44.102.x
access-list 102 permit tcp any any eq 4500
access-list 102 permit udp any any eq non500-isakmp
access-list 105 permit tcp any any eq www
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq ftp
access-list 105 permit tcp any any eq 22
snmp-server community BRASNMP RO
snmp-server ifindex persist
snmp-server host 168.44.102.x community
no cdp run
route-map TWC permit 20
match ip address 105
set ip default next-hop 97.77.30.17
!
!
control-plane
!
banner login ^C*****************************************************************
ATTENTION! PROPERTY OF BRAZOS RIVER AUTHORITY. AUTHORIZED USE ONLY!
*******************************************************************
^C
banner motd ^C^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 91 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 91 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17208771
ntp server 139.78.133.139
end
07-01-2008 11:45 AM
Hi, to use a second connection, when the router is not doing NAT, you must configure the ASA to use the new address. After that, no PBR is necessary.
07-01-2008 11:47 AM
so i need to install this connection on my ASA? How can i route just http on the asa?
07-01-2008 01:33 PM
Robert
I do not believe that you can route just http on the ASA. I have implemented something very similar to what you are doing here. What I did was to have the firewall forward and translate all outbound traffic as if it were all going to use the normal path to the Internet. Then on the outside router I configured Policy Based Routing to identify web traffic initiated from inside and I policy base routed it to go out a cable modem attached to a FastEthernet interface. I had the router translate the traffic going out the cable modem (so effectively it is double translated) which assures that responses will come back on the same path through the cable modem.
In their case I also configured a floating static default route pointing out the cable modem. This allows them to use the cable modem for all traffic in case the primary default route goes down.
I notice that you have a route map configured as if you were going to policy route. But it is not assigned to any interface, so it is not doing anything. It should be assigned to the interface where the traffic enters the router from the firewall.
If you assign the route map to the interface for PBR and if you configure address translation for traffic going out the interface then I believe that it should work. Give it a try and let us know.
HTH
Rick
07-01-2008 05:52 PM
I ended up getting it to work by the way you said. Double translated for ports 80, 443, 20,21. It works.
However it is really slow and i never get my speeds that i am provissioned.
However if i bypass the firewall and stick a workstation on the external switch it works just fine and i get close to 14mb.
Any ideas as to what would cause it to be slow.
Any special TCP or MTU stuff.
07-01-2008 06:33 PM
Robert
I am glad that you found the same solution that I did. The double translation seems to work well for my customer. They do not seem to experience the poor response time that you are. I am not sure that it would be an MTU/fragmentation issue. But that may be possible. I would suggest that you configure the command:
ip tcp adjust-mss
(perhaps on the interface toward your alternate output interface - or perhaps on the interface toward the firewall).
I would suggest starting with a very conservative value like 1300. If it makes an improvement then you can experiment with increasing the value until you find a value where the performance impact appears again and then back off a bit.
HTH
Rick
12-29-2009 02:24 AM
Hi Rick,
I hope you can help me with this question as you have posted something similar and have a good understanding of the subject matter unlike me :).
I have a provider router connecting to my ASA, this also connects to the Internet and provides access for remote users to dial in. The provider router allows us to configure a 'LAN' IP address which corresponds to our internal addressing scheme and a WAN/Public IP address. The NAT is configured on the provider router. The outside interface on the ASA is configured with a private IP Address in the same subnet as the provider LAN IP address.
This works and is sufficient for the majority of our users however we have a subset of users with additional requirements for which a new DSL line has been installed and I would like these users (and only these users) to dial in via the new interface.
I have configured the interface as ouside_bonded and created an ssl vpn portal to distribute to these users pointing to the new Internet router (please see attached config). The new router can do no Nat'ing so I have had to give the new interface a Public IP Address and added a static route pointing to the new router.
Config has been edited for brevity but please let me know if I you need a full config.
What else do I need to do?
Do I need to create a new VPN pool, do I need to have an additional global command, any NAT statements required? Please advise and be as specific as you possibly can.
Please note both these Internet connections are used for remote access to Internal Servers only. The Internal users use a separate connection for Internet Access.
See config below and please let me know if you have any questions or require further clarification.
Apologies for jumping on this post, I posted the question on the forum last week and have had no responses and I am absolutley desperate now.
Cheers,
Martha.
ASA Version 8.0(4)
!
hostname KPASA1
domain-name hwph.nhs.uk
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.17.126.113 PW
name 10.17.124.11 TS1 description Terminal Services
name 10.17.124.45 TripleA
name 10.17.124.198 srv-aaa-001
name 10.17.106.108 KP9001
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.50.230 255.255.255.248
ospf cost 10
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.17.127.197 255.255.255.224
ospf cost 10
!
interface GigabitEthernet0/2
description Outside Interface for Bonded DSL
shutdown
nameif Outside_Bonded
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.51.37 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
pager lines 24
logging enable
logging list All_events level informational
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm debugging
logging host management 10.17.124.67
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu Outside_Bonded 1500
ip local pool VPNPOOL 10.17.127.129-10.17.127.158 mask 255.255.255.224
ip verify reverse-path interface Inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
global (Inside) 1 10.17.127.199 netmask 255.255.255.224
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 TS1 255.255.255.255
nat (Inside) 1 PW 255.255.255.255
nat (Inside) 1 10.17.127.192 255.255.255.224
route Outside_Bonded 0.0.0.0 0.0.0.0 X.X.X.X (New Internet router) 1
route Outside 0.0.0.0 0.0.0.0 192.168.50.225 (Existing provider LAN interface) 12
route Inside 10.17.96.0 255.255.224.0 10.17.127.220 1
route Inside 10.17.98.9 255.255.255.255 10.17.127.220 1
route Inside 0.0.0.0 0.0.0.0 10.17.127.220 (EDGE DEVICE) tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server srv-aaa-001 protocol sdi
aaa-server srv-aaa-001 (Inside) host srv-aaa-001
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.17.0.0 255.255.0.0 Outside
http 10.17.0.0 255.255.0.0 Inside
http 192.168.51.0 255.255.255.0 management
http 10.17.96.0 255.255.240.0 management
http 10.17.127.0 255.255.255.0 Inside
snmp-server host management 10.17.124.67 poll community hwp98secret
snmp-server location Main Frame Room
no snmp-server contact
snmp-server community SECRET
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet 10.17.0.0 255.255.0.0 Inside
telnet 192.168.51.0 255.255.255.0 management
telnet 10.17.0.0 255.255.0.0 management
telnet timeout 5
ssh 10.17.96.0 255.255.240.0 Inside
ssh 192.168.51.0 255.255.255.0 management
ssh timeout 5
console timeout 10
management-access managem
12-29-2009 05:13 AM
the question have you tested this solution and you faced a problem or you want to check before testing it ?
i can see you have two default routes, the one points to the new router has less metric and then will be the preferred path for any traffic from inside to outside ( Internet )
for vpn you could created a new group and address pool if required to ( this way it wil be easy in controlling two differnt groups with differnt polices)
not sure if you require nating in the new link to the new router ( if you have sessions from inside to outside using that link you will need to configure global nating for that link
good luck
if helpful Rate
12-29-2009 12:29 PM
Thanks for your advice, I have not actually tested. I just wanted a better understanding first. I will implement the changes and take it from there.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: