cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
503
Views
0
Helpful
2
Replies

Policy routing and failover using single ISR/ASA

Mark Rigby
Level 1
Level 1

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

markgrigby wrote:

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

Mark

No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.

If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either

1) soley on the router for ISP2

OR

2) double natting on the ASA and the router

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

markgrigby wrote:

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

Mark

No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.

If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either

1) soley on the router for ISP2

OR

2) double natting on the ASA and the router

Jon

Ah of course, thank you John, the traffic would most likely be general purpose HTTP so i dont have a problem NATing it twice.


Regards

Mark Rigby

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: