Policy routing and failover using single ISR/ASA

Answered Question
Dec 11th, 2009

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-fareast-language:EN-US;}

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 1 month ago

markgrigby wrote:

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

Mark

No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.

If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either

1) soley on the router for ISP2

OR

2) double natting on the ASA and the router

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 12/11/2009 - 07:29

markgrigby wrote:

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

Mark

No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.

If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either

1) soley on the router for ISP2

OR

2) double natting on the ASA and the router

Jon

Mark Rigby Fri, 12/11/2009 - 08:53

Ah of course, thank you John, the traffic would most likely be general purpose HTTP so i dont have a problem NATing it twice.


Regards

Mark Rigby

Actions

This Discussion