Routing traffic to multiple gateways

Answered Question
Feb 26th, 2009
User Badges:

Looking for configuration suggestions for this setup. Say you have one ASA 5520 that is your company uses as it's default gateway for internal clients. Say you get a second test ASA 5505 to test certain features, etc... You want to use the second "test" ASA as the default gateway (to the internet) for a single particular vlan inside your network although this vlan still needs to be able to access internal resources. The only difference will be that it uses the "test ASA" as its default-gateway. Could this ben done with an access list, and route-map by specifying the internal (in side) address of the test ASA as the set next-hop? We already have the basic ip connectivity from the vlan to the "test ASAs" internal interface. We just need some direction on the routing portion. The internal vlan subnet you use for the ACL would direct external traffic to the test ASA? Does this sound right?


Thanks,

Brandon

Correct Answer by Richard Burts about 8 years 3 weeks ago

Brandon


Yes you put the ip policy route-map command on the VLAN interface where the traffic enters the router that you want to send to the test ASA. And it would be logical for it to use a standard access list in the match statement to identify the traffic coming from the PCs in that VLAN.


That link looks like a pretty good one. I am glad that you found it.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 02/26/2009 - 19:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brandon


The access list and route map that you mention are what constitutes Policy Based Routing. And I believe that PBR is a good solution for what you describe.


In the route map you probably do not want to do set next hop, since that would send all traffic to the ASA. You want to do set default next-hop which only changes traffic when it is being routed to the default gateway.


HTH


Rick

mbroberson1 Fri, 02/27/2009 - 03:43
User Badges:

Hi Rick,


I am glad you mention what you did about using the "default next-hop" instead of the "set next hop". I am assuming I would apply the policy for the route-map under the vlan interface of the vlan I want to use "test asa" as the default-gateway, the route-map would in addition to the "set default next-hop" would reference a simple standard ACL for the subnet of the vlan...does this sound accurate?


This is the link I had been reviewing, very helpful BTW.


http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml


I really appreciate your response. Maybe finally after reading Jeff Doyles books (several times) things are starting to sink in.;-)


Thanks,

Brandon

Correct Answer
Richard Burts Fri, 02/27/2009 - 04:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brandon


Yes you put the ip policy route-map command on the VLAN interface where the traffic enters the router that you want to send to the test ASA. And it would be logical for it to use a standard access list in the match statement to identify the traffic coming from the PCs in that VLAN.


That link looks like a pretty good one. I am glad that you found it.


HTH


Rick

mbroberson1 Fri, 02/27/2009 - 05:14
User Badges:

Rick,


AS always, thanks again! I'll test this out today and let you know how it goes, then post this as a resolution.


Thanks,


Brandon

Richard Burts Fri, 02/27/2009 - 08:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brandon


It looks good to me.


HTH


Rick

mbroberson1 Fri, 02/27/2009 - 08:50
User Badges:

Hi Rick,


The solution worked perfect as designed. I noted the resolution.


Thanks!


Brandon

Actions

This Discussion