cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
652
Views
5
Helpful
7
Replies

2 ISPs, One router, 2 ASA

Hello,

I will soon have a second ISP terminating into my 7201 router, which I will need to route to a second ASA. I do not want to do any load balancing, the connections are totally seperate. I would just like someone to please verify my thoughs on how my route statements will look:

ISP1 --> ASA1

ISP2 --> ASA2

int gig0/0

des Uplink to ISP1

ip add 10.10.10.2 255.255.255.252

int gig0/1

des Uplink to ISP2

ip add 10.10.20.2 255.255.255.252

int gig0/2

des Uplink to ASA1

ip add 192.168.1.2 255.255.255.192

int gig0/3

des Uplink to ASA2

ip add 192.168.2.2 255.255.255.192

ip route 192.168.1.1 255.255.255.192 10.10.10.1

ip route 192.168.2.1 255.255.255.192 10.10.20.1

Am I correct in my thinking?

Thank you for your time,

Nick

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

ExceptionalInnovation wrote:

Hello,

I will soon have a second ISP terminating into my 7201 router, which I will need to route to a second ASA. I do not want to do any load balancing, the connections are totally seperate. I would just like someone to please verify my thoughs on how my route statements will look:

ISP1 --> ASA1

ISP2 --> ASA2

int gig0/0

des Uplink to ISP1

ip add 10.10.10.2 255.255.255.252

int gig0/1

des Uplink to ISP2

ip add 10.10.20.2 255.255.255.252

int gig0/2

des Uplink to ASA1

ip add 192.168.1.2 255.255.255.192

int gig0/3

des Uplink to ASA2

ip add 192.168.2.2 255.255.255.192

ip route 192.168.1.1 255.255.255.192 10.10.10.1

ip route 192.168.2.1 255.255.255.192 10.10.20.1

Am I correct in my thinking?

Thank you for your time,

Nick

Nick

Not sure what the routes are meant to be doing ie. -

ip route 192.168.1.1 255.255.255.192 10.10.10.1

says to get 192.168.1.0 255.255.255.192 network go to the ISP next-hop of 10.10.10.1 - that can't be right can it ?

Apart from that - are your 2 firewalls in failover mode are they just completely separate firewalls.

And on your 7200 router are you just going to have 2 default routes one to each ISP next-hop ?

Jon

Jon,

Thanks for the reply, sir.

The routes are intended to get traffic from the ISP LAN block (public IP addresses for mail, VPN, ect) to the ISP WAN side of the router.

The ASAs are completly seperate; completly seperate networks.

ExceptionalInnovation wrote:

Jon,

Thanks for the reply, sir.

The routes are intended to get traffic from the ISP LAN block (public IP addresses for mail, VPN, ect) to the ISP WAN side of the router.

The ASAs are completly seperate; completly seperate networks.

Sorry Nick, i'm obviously being a bit dense

I assume it's

ISP1 ----- |                     | ------ ASA1

              |-----   7200 ---- |                      LAN

ISP2 ----- |                     | ------ ASA2

if this is the case you have used the 192.168.1.0/26 and the 192.168.2.0/26 to connect the ASAs to the 7200 router.

Those 2 ip route statements are they on the 7200 router ?. If so they won't be used anyway because the 7200 has directly connected interfaces in the 192.168.1.x and 192.168.2.x networks.

Can you clarify ?

Jon

Jon,

No worries at all, it is hard to clarify this in writing, my bad!

What the layout will be is this

ISP1 ----         ----ASA1---> LAN1

          ---7200---

ISP2 ----         ----ASA2---> LAN2

Our current route statement on the router is this: ip route 0.0.0.0 0.0.0.0 X.X.X.X

I believe that once the 2nd ISP is added I will need to staticly define the LAN block in each ISP to route out the proper WAN interface.

Does this help?

Nick

ExceptionalInnovation wrote:

Jon,

No worries at all, it is hard to clarify this in writing, my bad!

What the layout will be is this

ISP1 ----         ----ASA1---> LAN1

          ---7200---

ISP2 ----         ----ASA2---> LAN2

Our current route statement on the router is this: ip route 0.0.0.0 0.0.0.0 X.X.X.X

I believe that once the 2nd ISP is added I will need to staticly define the LAN block in each ISP to route out the proper WAN interface.

Does this help?

Nick

Nick

I understand now and those static routes won't work. Your'e going to need to use PBR (Policy Based Routing) for this ie.

access-list 101 permit ip 192.168.1.0 0.0.0.63 any

access-list 102 permit ip 192.168.2.0 0.0.0.63 any

route-map PBR permit 10

match ip address 101

set ip next-hop 10.10.10.1

route-map PBR permit 20

match ip address 102

set ip next-hop 10.10.20.1

int gi0/2

ip policy route-map PBR

int gi0/3

ip policy route-map PBR

Add the above config to your 7200 and remove the static routes.

Jon

Jon,

Ok, this makes sense! I don't deal with alot of WAN routing on a day to day basis. Your help is much appreciated!

Thanks,

Nick

ExceptionalInnovation wrote:

Jon,

Ok, this makes sense! I don't deal with alot of WAN routing on a day to day basis. Your help is much appreciated!

Thanks,

Nick

Nick

No problem, glad we got there in the end

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco