ASA with two default routes

Unanswered Question
Apr 22nd, 2010

Dear friends,

I'm making a lab to provide two Internet connections to my network environment.  Topology and configuration files are attached.  Let me try to explain you:

  • I have two ISP connections with their respective CIDRs (IP address block);
  • I won't allocate a public AS;
  • My connections must provide traffic inside to outside (users navigating in Internet) and vice-versa (servers in a DMZ).

My routers are both configured with HSRP (two groups).  The A router is primary for one address and the B router is primary for the other one.  I put two default routes on the ASA pointing to the two VIPs.

On my DMZ, I have one FTP server.  ASA is configured with enabled NAT control.  So, I created a static NAT to permit external users to connect to this server.  Access control was already made.

I'm facing a problem.  Even with ASA having two default routes, it insists to use only one.  My tests showed me that it was using only one of the two VIPs.  Plus, I'll provide VPN access in this same ASA box.

So, I'm asking you to help me to find a configuration of this environment so I can both provide traffic from and to Internet as long as VPN too.

Best regards,

Mauricio Harley

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 04/24/2010 - 18:45

Mauricio,

I see the two default routes on the ASA
route outside 0.0.0.0 0.0.0.0 30.0.0.253 1
route outside 0.0.0.0 0.0.0.0 30.0.0.254 1

Can you PING both next-hops from the ASA?
If you remove the current default route being in used by the ASA, does it start
using the other one?

Federico.

mauricioharley Sun, 04/25/2010 - 05:29

Hi, Federico,

Answering your questions:

1. Yes, I can ping both of VIPs.  HSRP is running correctly.

2. Yes.  If I remove one of the default routes, ASA starts using the other one.  There is not a "current" default route as long as it shows me that both are installed on the routing table.

As I can realize, ASA chooses one route for each traffic origin or destination.  Let's suppose that I had another server.  If my current server is using the route through 30.0.0.253, the second one could use through 30.0.0.254.  Do you get me?

I'd like to confirm if this thought is correct or if is there really something else to configure on ASA or routers.

Any other suggestion of topolology and configurations are very welcome!

Regards,

Mauricio

Jennifer Halim Sun, 04/25/2010 - 06:08

Multiple default gateway (load balance) on ASA is not just base on first connection goes through the first route and the next goes to the second route. It has the load balancing algorithm that takes into account both source and destination ip addresses. Therefore, the more traffic through and the more combination of source and destination ip addresses, the more you will see the load balance happening on the ASA default gateway.

Maykol Rojas Mon, 04/26/2010 - 13:22

Hello People.

Just Adding something to what halijenn said, the firewall wont be able to support this kind of load balancing. It would only rely on the other routes under high load of traffic, it is not like is going to send a packet or stablish a session on one default gateway and the second is going to the second default gateway.

The only thing that you can really use this other link would be for backup using SLA monitor. Now, if what you really want to do is load balancing, I think something  that you can do is put a l3 device that can support route maps and PBR in the middle of the HSRP routers and the ASA so you can send different types of traffic depending on source, destination or both in order to accomplish the load balancing that you are looking for.

At the bottom I have attached some links.

Hope it helps

Cheers

Mike

Links

ASA not able to support load balancing

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q6i

Policy Based Routing on IOS

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

ASA backup ISP (sla monitoring)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

mauricioharley Wed, 04/28/2010 - 15:09

Ok, friends,

I got the advice.  However, how could I solve my problems?  I won't allocate any other device besides these ones that you see in the topology picture.  Couldn't I make PBR on the HSRP routers?

Don't forget that I still need to provide VPN access, so, my two links have to be able to handle such traffic.

Have you seen configuration files?  Have you seen that I'm making a different NAT setup?  Will my IPSec tunnels work?

I guess this topology would be a common request.  Not all people are able to "buy" a public AS, so, options would come easily.  Cisco's competitors deploy load balancing between different ISPs in small boxes, so, why am I not able to do it in ISR routers and ASA?

I count very much on you because I can't find a feasible configuration to make this work.

Kind regards,

Mauricio

Actions

This Discussion