2 ISPs, One router, 2 ASA

Unanswered Question
Jan 29th, 2010
User Badges:

Hello,


I will soon have a second ISP terminating into my 7201 router, which I will need to route to a second ASA. I do not want to do any load balancing, the connections are totally seperate. I would just like someone to please verify my thoughs on how my route statements will look:


ISP1 --> ASA1

ISP2 --> ASA2


int gig0/0

des Uplink to ISP1

ip add 10.10.10.2 255.255.255.252


int gig0/1

des Uplink to ISP2

ip add 10.10.20.2 255.255.255.252


int gig0/2

des Uplink to ASA1

ip add 192.168.1.2 255.255.255.192


int gig0/3

des Uplink to ASA2

ip add 192.168.2.2 255.255.255.192



ip route 192.168.1.1 255.255.255.192 10.10.10.1

ip route 192.168.2.1 255.255.255.192 10.10.20.1



Am I correct in my thinking?


Thank you for your time,


Nick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 01/29/2010 - 10:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ExceptionalInnovation wrote:


Hello,


I will soon have a second ISP terminating into my 7201 router, which I will need to route to a second ASA. I do not want to do any load balancing, the connections are totally seperate. I would just like someone to please verify my thoughs on how my route statements will look:


ISP1 --> ASA1

ISP2 --> ASA2


int gig0/0

des Uplink to ISP1

ip add 10.10.10.2 255.255.255.252


int gig0/1

des Uplink to ISP2

ip add 10.10.20.2 255.255.255.252


int gig0/2

des Uplink to ASA1

ip add 192.168.1.2 255.255.255.192


int gig0/3

des Uplink to ASA2

ip add 192.168.2.2 255.255.255.192



ip route 192.168.1.1 255.255.255.192 10.10.10.1

ip route 192.168.2.1 255.255.255.192 10.10.20.1



Am I correct in my thinking?


Thank you for your time,


Nick


Nick


Not sure what the routes are meant to be doing ie. -


ip route 192.168.1.1 255.255.255.192 10.10.10.1

says to get 192.168.1.0 255.255.255.192 network go to the ISP next-hop of 10.10.10.1 - that can't be right can it ?


Apart from that - are your 2 firewalls in failover mode are they just completely separate firewalls.


And on your 7200 router are you just going to have 2 default routes one to each ISP next-hop ?


Jon

ExceptionalInno... Fri, 01/29/2010 - 10:30
User Badges:

Jon,


Thanks for the reply, sir.


The routes are intended to get traffic from the ISP LAN block (public IP addresses for mail, VPN, ect) to the ISP WAN side of the router.


The ASAs are completly seperate; completly seperate networks.

Jon Marshall Fri, 01/29/2010 - 11:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ExceptionalInnovation wrote:


Jon,


Thanks for the reply, sir.


The routes are intended to get traffic from the ISP LAN block (public IP addresses for mail, VPN, ect) to the ISP WAN side of the router.


The ASAs are completly seperate; completly seperate networks.


Sorry Nick, i'm obviously being a bit dense


I assume it's


ISP1 ----- |                     | ------ ASA1

              |-----   7200 ---- |                      LAN

ISP2 ----- |                     | ------ ASA2


if this is the case you have used the 192.168.1.0/26 and the 192.168.2.0/26 to connect the ASAs to the 7200 router.


Those 2 ip route statements are they on the 7200 router ?. If so they won't be used anyway because the 7200 has directly connected interfaces in the 192.168.1.x and 192.168.2.x networks.


Can you clarify ?


Jon

ExceptionalInno... Fri, 01/29/2010 - 11:24
User Badges:

Jon,


No worries at all, it is hard to clarify this in writing, my bad!


What the layout will be is this


ISP1 ----         ----ASA1---> LAN1

          ---7200---

ISP2 ----         ----ASA2---> LAN2


Our current route statement on the router is this: ip route 0.0.0.0 0.0.0.0 X.X.X.X


I believe that once the 2nd ISP is added I will need to staticly define the LAN block in each ISP to route out the proper WAN interface.


Does this help?


Nick

Jon Marshall Fri, 01/29/2010 - 11:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ExceptionalInnovation wrote:


Jon,


No worries at all, it is hard to clarify this in writing, my bad!


What the layout will be is this


ISP1 ----         ----ASA1---> LAN1

          ---7200---

ISP2 ----         ----ASA2---> LAN2


Our current route statement on the router is this: ip route 0.0.0.0 0.0.0.0 X.X.X.X


I believe that once the 2nd ISP is added I will need to staticly define the LAN block in each ISP to route out the proper WAN interface.


Does this help?


Nick


Nick


I understand now and those static routes won't work. Your'e going to need to use PBR (Policy Based Routing) for this ie.


access-list 101 permit ip 192.168.1.0 0.0.0.63 any


access-list 102 permit ip 192.168.2.0 0.0.0.63 any


route-map PBR permit 10

match ip address 101

set ip next-hop 10.10.10.1


route-map PBR permit 20

match ip address 102

set ip next-hop 10.10.20.1


int gi0/2

ip policy route-map PBR


int gi0/3

ip policy route-map PBR


Add the above config to your 7200 and remove the static routes.


Jon

ExceptionalInno... Fri, 01/29/2010 - 11:55
User Badges:

Jon,


Ok, this makes sense! I don't deal with alot of WAN routing on a day to day basis. Your help is much appreciated!


Thanks,


Nick

Jon Marshall Fri, 01/29/2010 - 12:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ExceptionalInnovation wrote:


Jon,


Ok, this makes sense! I don't deal with alot of WAN routing on a day to day basis. Your help is much appreciated!


Thanks,


Nick

Nick


No problem, glad we got there in the end


Jon

Actions

This Discussion