Route Map Problem

Unanswered Question
Oct 30th, 2008

Hi,

We have tow ISP links terminated on two routers WAN ports ( 1841 series). And the ethernet both the routers and the outside of the ASA are from a single subnet. ( a.b.c.0 / 24 ). Since the tow ISP's has given us a totally seperate pool of IP address we need to route the corresponding IP packet to the corresponding ISP routers. Policy based IP routing ( in this case source based for the packet going to outside world from ASA ) is not supported in ASA and we are required to use route map.

ASA has a default route to ISP-1 router ethernet. But when packet is having the source IP address from from the ISP-2 pool it shoud be sent to ISP-2 router.

I did the following configuration

on ISP-1 router:-

access-list 101 permit ip host P.Q.R.S ( IP address from the ISP-2 pool)


route map ISP2

match access-group 101

set next-hop ISP-2_router_Eth_ADDRESS


conf t

int fast0/0 ( ISP1 router interface)

ip policy route-map ISP2


With this packets with source IP with P.Q.R.S will be sent to ISP-2 router ethernet port and the remaining packets will be routed by default to WAN link that is ISP-1 WAN link.

But some how this doesnt seem to work I checked out for the access-list hit count there are not hits.

What is going wrong?

Please share your experience for route maps or terminating two ISP on a single ASA. Inputs are appreciated.

Thanks in advance

Subodh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 10/30/2008 - 07:30

Subodh


In your post you give access list 101 as:

access-list 101 permit ip host P.Q.R.S ( IP address from the ISP-2 pool)


but an extended access list should have a source address and a destination address. You have given only a single address. This may be the source of your problem.


Also it is not clear to me from your post whether the int fast0/0 is the interface which faces the firewall or whether it faces the ISP. The route map needs to be applied on the interface which faces the firewall.


[edit] Also I notice that you describe it as a pool for ISP 2 but your access list is specifying only a single address. Perhaps this is also part of the problem.


HTH


Rick

bapatsubodh Thu, 10/30/2008 - 07:52

Hi,

Ya ,

access list 101 ends with any ,

That means permit with source P.Q.R.S to any IP address on the internet.

Secondly we are using only one IP address from the ISP-2 pool that is P.Q.R.S hence I have used only one IP addrss as source IP.

And also fast 0/0 is the routers ASA facing interface.

ISP-2-LAN and ISP-1-LAN and ASA-Outside interface are in the same subnet and can ping to each other. I have added this policy routing on the ISP-1 router fast0/0.

Is there any way to test if this router map is being hit by packets?

I did :

debug ip packet 101 I was expecting a fireworks on console but i didnt see any thing. I am missing out some thing some where

Just not able to debug !!

Actions

This Discussion