cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1652
Views
4
Helpful
14
Replies

2 Internet Connections

rflanary2
Level 1
Level 1

I want to know if its possible to do this.

I have the following network setup

ASA 5520 ---> Cisco 2801 ----> T1

I want to add an addtional internet subnet. These will have a different IP range. I dont need to load balance i just want to route all traffic thru the new connection and have it come back thru the same pipe. so that it looks like this.

ASA 5520 --> Cisco 2801 --> T1

--> New pipe.

Thanks

14 Replies 14

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

you use Policy Based Routing for this. Route based on source address to he new pipe. Look in the configuration guide (any version) and come back if you've any questions.

Hope this helps, please rate pos if it does!

how would this work with NAT on the ASA? I guess i dont understand PBR and NAT

NAT on the ASA is fine, alternatively the router could do NAT, that is often necessary when load-balancing.

PBR will set next-hop or interface based on source address or any other criteria, and there are no interdependencies.

As an appreciation to those providing answers, please rate useful posts with the scrollbox below!

will PBR work even with different subnets? Such as routing 168.44.x.x over a 24.26.x.x network?

I guess i am confused how does it find its way back correctly?

Yes, it works with subnets as desired.

Once the packet is sent out with the correct source address on the correct interface, it will come back also correctly.

Please remember to rate useful posts.

Ok i got the second internet connection installed. I am not using nat but still having problem using a route-map to route traffic from my firewall thru our edge router. here is my router config.

I can ping out the interface but can not use web

ip flow-cache timeout active 1

no ip bootp server

no ip domain lookup

ip domain name brazos.org

!

username admin privilege 15 password xxx

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description LAN$ETH-LAN$$FW_INSIDE$

ip address 168.44.102.x 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip route-cache flow

no ip mroute-cache

speed auto

full-duplex

no mop enabled

!

interface FastEthernet0/1

description Timewarner Business Class

mac-address 0015.c5ce.fdf6

ip address 97.77.30.x 255.255.255.252

ip nbar protocol-discovery

no ip mroute-cache

speed auto

full-duplex

no mop enabled

!

interface Serial0/1/0

bandwidth 1536

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

encapsulation frame-relay

no ip route-cache cef

no ip route-cache

no fair-queue

service-module t1 timeslots 1-24

frame-relay traffic-shaping

frame-relay lmi-type cisco

!

interface Serial0/1/0.1 point-to-point

description Internet Connection DIR$FW_OUTSIDE$

bandwidth 1536

ip address 168.39.7.x 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

no ip route-cache

frame-relay class cisco

frame-relay interface-dlci 17 IETF

!

interface Serial0/2/0

bandwidth 1536

no ip address

encapsulation frame-relay IETF

no ip route-cache cef

no ip route-cache

no ip mroute-cache

shutdown

no fair-queue

service-module t1 timeslots 1-24

frame-relay traffic-shaping

frame-relay lmi-type cisco

!

interface Serial0/2/0.1 point-to-point

bandwidth 1536

ip address 168.39.7.x 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

no ip route-cache

no ip mroute-cache

shutdown

no cdp enable

frame-relay class cisco

frame-relay interface-dlci 16

!

ip route 0.0.0.0 0.0.0.0 168.39.7.x

ip flow-export source FastEthernet0/1

ip flow-export version 9

ip flow-export destination 168.44.102.x 9996

!

ip http server

ip http access-class 91

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

map-class frame-relay cisco

frame-relay cir 1536000

frame-relay bc 15360

frame-relay mincir 1536000

access-list 91 permit 168.44.102.x

access-list 91 permit 168.44.102.x

access-list 91 permit 168.44.102.x

access-list 102 permit tcp any any eq 4500

access-list 102 permit udp any any eq non500-isakmp

access-list 105 permit tcp any any eq www

access-list 105 permit tcp any any eq 443

access-list 105 permit tcp any any eq ftp

access-list 105 permit tcp any any eq 22

snmp-server community BRASNMP RO

snmp-server ifindex persist

snmp-server host 168.44.102.x community

no cdp run

route-map TWC permit 20

match ip address 105

set ip default next-hop 97.77.30.17

!

!

control-plane

!

banner login ^C*****************************************************************

ATTENTION! PROPERTY OF BRAZOS RIVER AUTHORITY. AUTHORIZED USE ONLY!

*******************************************************************

^C

banner motd ^C^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 91 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 91 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

ntp clock-period 17208771

ntp server 139.78.133.139

end

Hi, to use a second connection, when the router is not doing NAT, you must configure the ASA to use the new address. After that, no PBR is necessary.

so i need to install this connection on my ASA? How can i route just http on the asa?

Robert

I do not believe that you can route just http on the ASA. I have implemented something very similar to what you are doing here. What I did was to have the firewall forward and translate all outbound traffic as if it were all going to use the normal path to the Internet. Then on the outside router I configured Policy Based Routing to identify web traffic initiated from inside and I policy base routed it to go out a cable modem attached to a FastEthernet interface. I had the router translate the traffic going out the cable modem (so effectively it is double translated) which assures that responses will come back on the same path through the cable modem.

In their case I also configured a floating static default route pointing out the cable modem. This allows them to use the cable modem for all traffic in case the primary default route goes down.

I notice that you have a route map configured as if you were going to policy route. But it is not assigned to any interface, so it is not doing anything. It should be assigned to the interface where the traffic enters the router from the firewall.

If you assign the route map to the interface for PBR and if you configure address translation for traffic going out the interface then I believe that it should work. Give it a try and let us know.

HTH

Rick

HTH

Rick

I ended up getting it to work by the way you said. Double translated for ports 80, 443, 20,21. It works.

However it is really slow and i never get my speeds that i am provissioned.

However if i bypass the firewall and stick a workstation on the external switch it works just fine and i get close to 14mb.

Any ideas as to what would cause it to be slow.

Any special TCP or MTU stuff.

Robert

I am glad that you found the same solution that I did. The double translation seems to work well for my customer. They do not seem to experience the poor response time that you are. I am not sure that it would be an MTU/fragmentation issue. But that may be possible. I would suggest that you configure the command:

ip tcp adjust-mss

(perhaps on the interface toward your alternate output interface - or perhaps on the interface toward the firewall).

I would suggest starting with a very conservative value like 1300. If it makes an improvement then you can experiment with increasing the value until you find a value where the performance impact appears again and then back off a bit.

HTH

Rick

HTH

Rick

Hi Rick,

I hope you can help me with this question as you have posted something similar and have a good understanding of the subject matter unlike me :).

I have a provider router connecting to my ASA, this also connects to the Internet and provides access for remote users to dial in. The provider router allows us to configure a 'LAN' IP address which corresponds to our internal addressing scheme and a WAN/Public IP address. The NAT is configured on the provider router. The outside interface on the ASA is configured with a private IP Address in the same subnet as the provider LAN IP address.

This works and is sufficient for the majority of our users however we have a subset of users with additional requirements for which a new DSL line has been installed and I would like these users (and only these users) to dial in via the new interface.

I have configured the interface as ouside_bonded and created an ssl vpn portal to distribute to these users pointing to the new Internet router (please see attached config). The new router can do no Nat'ing so I have had to give the new interface a Public IP Address and added a static route pointing to the new router.

Config has been edited for brevity but please let me know if I you need a full config.

What else do I need to do?

Do I need to create a new VPN pool, do I need to have an additional global command, any NAT statements required? Please advise and be as specific as you possibly can.

Please note both these Internet connections are used for remote access to Internal Servers only. The Internal users use a separate connection for Internet Access.

See config below and please let me know if you have any questions or require further clarification.

Apologies for jumping on this post, I posted the question on the forum last week and have had no responses and I am absolutley desperate now.

Cheers,

Martha.

ASA Version 8.0(4)

!

hostname KPASA1

domain-name hwph.nhs.uk

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.17.126.113 PW

name 10.17.124.11 TS1 description Terminal Services

name 10.17.124.45 TripleA

name 10.17.124.198 srv-aaa-001

name 10.17.106.108 KP9001

dns-guard

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 192.168.50.230 255.255.255.248

ospf cost 10

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.17.127.197 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/2

description Outside Interface for Bonded DSL

shutdown

nameif Outside_Bonded

security-level 0

ip address X.X.X.X 255.255.255.248

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.51.37 255.255.255.0

ospf cost 10

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Inside

pager lines 24

logging enable

logging list All_events level informational

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm debugging

logging host management 10.17.124.67

logging permit-hostdown

mtu Outside 1500

mtu Inside 1500

mtu management 1500

mtu Outside_Bonded 1500

ip local pool VPNPOOL 10.17.127.129-10.17.127.158 mask 255.255.255.224

ip verify reverse-path interface Inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

global (Inside) 1 10.17.127.199 netmask 255.255.255.224

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 TS1 255.255.255.255

nat (Inside) 1 PW 255.255.255.255

nat (Inside) 1 10.17.127.192 255.255.255.224

route Outside_Bonded 0.0.0.0 0.0.0.0 X.X.X.X (New Internet router) 1

route Outside 0.0.0.0 0.0.0.0 192.168.50.225 (Existing provider LAN interface) 12

route Inside 10.17.96.0 255.255.224.0 10.17.127.220 1

route Inside 10.17.98.9 255.255.255.255 10.17.127.220 1

route Inside 0.0.0.0 0.0.0.0 10.17.127.220 (EDGE DEVICE) tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server srv-aaa-001 protocol sdi

aaa-server srv-aaa-001 (Inside) host srv-aaa-001

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.17.0.0 255.255.0.0 Outside

http 10.17.0.0 255.255.0.0 Inside

http 192.168.51.0 255.255.255.0 management

http 10.17.96.0 255.255.240.0 management

http 10.17.127.0 255.255.255.0 Inside

snmp-server host management 10.17.124.67 poll community hwp98secret

snmp-server location Main Frame Room

no snmp-server contact

snmp-server community SECRET

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet 10.17.0.0 255.255.0.0 Inside

telnet 192.168.51.0 255.255.255.0 management

telnet 10.17.0.0 255.255.0.0 management

telnet timeout 5

ssh 10.17.96.0 255.255.240.0 Inside

ssh 192.168.51.0 255.255.255.0 management

ssh timeout 5

console timeout 10

management-access managem

the question have you tested this solution and you faced a problem or you want to check before testing it ?

i can see you have two default routes, the one points to the new router has less metric and then will be the preferred path for any traffic from inside to outside ( Internet )

for vpn you could created a new group and address pool if required to ( this way it wil be easy in controlling two differnt groups with differnt polices)

not sure if you require nating in the new link to the new router ( if you have sessions from inside to outside using that link you will need to configure global nating for that link

good luck

if helpful Rate

Thanks for your advice, I have not actually tested. I just wanted a better understanding first. I will implement the changes and take it from there.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: