Routing traffic to multiple gateways

Answered Question
Feb 26th, 2009

Looking for configuration suggestions for this setup. Say you have one ASA 5520 that is your company uses as it's default gateway for internal clients. Say you get a second test ASA 5505 to test certain features, etc... You want to use the second "test" ASA as the default gateway (to the internet) for a single particular vlan inside your network although this vlan still needs to be able to access internal resources. The only difference will be that it uses the "test ASA" as its default-gateway. Could this ben done with an access list, and route-map by specifying the internal (in side) address of the test ASA as the set next-hop? We already have the basic ip connectivity from the vlan to the "test ASAs" internal interface. We just need some direction on the routing portion. The internal vlan subnet you use for the ACL would direct external traffic to the test ASA? Does this sound right?

Thanks,

Brandon

I have this problem too.
0 votes
Correct Answer by Richard Burts about 7 years 9 months ago

Brandon

Yes you put the ip policy route-map command on the VLAN interface where the traffic enters the router that you want to send to the test ASA. And it would be logical for it to use a standard access list in the match statement to identify the traffic coming from the PCs in that VLAN.

That link looks like a pretty good one. I am glad that you found it.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 02/26/2009 - 19:29

Brandon

The access list and route map that you mention are what constitutes Policy Based Routing. And I believe that PBR is a good solution for what you describe.

In the route map you probably do not want to do set next hop, since that would send all traffic to the ASA. You want to do set default next-hop which only changes traffic when it is being routed to the default gateway.

HTH

Rick

mbroberson1 Fri, 02/27/2009 - 03:43

Hi Rick,

I am glad you mention what you did about using the "default next-hop" instead of the "set next hop". I am assuming I would apply the policy for the route-map under the vlan interface of the vlan I want to use "test asa" as the default-gateway, the route-map would in addition to the "set default next-hop" would reference a simple standard ACL for the subnet of the vlan...does this sound accurate?

This is the link I had been reviewing, very helpful BTW.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

I really appreciate your response. Maybe finally after reading Jeff Doyles books (several times) things are starting to sink in.;-)

Thanks,

Brandon

Correct Answer
Richard Burts Fri, 02/27/2009 - 04:26

Brandon

Yes you put the ip policy route-map command on the VLAN interface where the traffic enters the router that you want to send to the test ASA. And it would be logical for it to use a standard access list in the match statement to identify the traffic coming from the PCs in that VLAN.

That link looks like a pretty good one. I am glad that you found it.

HTH

Rick

mbroberson1 Fri, 02/27/2009 - 05:14

Rick,

AS always, thanks again! I'll test this out today and let you know how it goes, then post this as a resolution.

Thanks,

Brandon

mbroberson1 Fri, 02/27/2009 - 08:50

Hi Rick,

The solution worked perfect as designed. I noted the resolution.

Thanks!

Brandon

Actions

This Discussion