Possible?

Answered Question
Oct 11th, 2011

Hi Team!

Here's the scenario:

Bunch of networks -- ASA -- ISP1

                                       -- ISP2

The deal is that the customer wants one of the networks 172.16.x.0/24 to use ISP2 as its main exit, while keeping all other networks using ISP1.

We know there's no PBR functionality on ASA, and also there are some workarounds with NAT, but this is the problem that I'm having:

Current config for ISP1 for all networks:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

route outside 0 0 x.x.x.x 1

Works perfectly fine.

I add the following to try to make 172.16.x.0/24 to use ISP2.

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 1  --> as soon as I enter this command the ASA complains, it won't allow it... fine, so I did as per this document:

https://supportforums.cisco.com/docs/DOC-15622

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

But that drops the Internet connection.

Funny thing is that if I do the following:

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 2

Then, the inside host can't get to the Internet... seems to me that having an AD of ''2'' on the default route the ASA won't use it since it has a better route pointing to the original ISP1.

So, can this be done?

Thanks!

Federico.

I have this problem too.
0 votes
Correct Answer by varrao about 2 years 6 months ago

Yes, this is not possible on ASA, I have never been able to do it, until anyone can come up with any magic solution to it , I would definitely put it in unsupported configuration only.

Thanks,

Varun

Correct Answer by Jon Marshall about 2 years 6 months ago

Federico

Assuming we are talking about the original issue, ie. 172.16.x.x via outside_2, as  far as i can see it's just not possible to do on an ASA rather than simply being unsupported.

 

Jon

Correct Answer by varrao about 2 years 6 months ago

Thats right as Jon said.

The doc is for splitting the traffic going to the internet based on destination ip, so your requirement doesn't fall into it. Source based routing is not an option on ASA, so that makes it more difficult for you.

Varun

Correct Answer by Jon Marshall about 2 years 6 months ago

Federico

The problem is that even if you could do this ie. i assume you mean

route outside 0.0.0.0 0.0.0.0 x.x.x.x

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y

and i'm not sure it would allow you but lets say you could. The default-route via outside would never be used because the 2 routes via new_outside are more specific and the more specific routes are always chosen so all traffic would then go via outside2.

If instead you had -

route outside 0.0.0.0 128.0.0.0 x.x.x.x

route outside_new 128.0.0.0 128.0.0.0 y.y.y.y

then this would split traffic down the links but still based on destination not source ie. all destinations from 1.x.x.x -> 126.x.x.x would be sent via the outside interface and destinations from 128.x.x.x upwards would be sent to outside_new.

There is no way to specify which route to used based on source IP on the ASA.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
varrao Tue, 10/11/2011 - 09:25

Hi Fed,

Lets say the DG for ISP 1 line is 1.1.1.1 and for ISP 2 is 2.2.2.2,

Add teh nat statements in the same order as below:

nat (inside) 2 172.16.x.0 255.255.0.0

nat (inside) 1 0 0

global (outside_new) 2 interface

global (outside) 1 interface

route outside 0 0 1.1.1.1 1

route outside_new 0 0 2.2.2.2 2

But I would never suggest this, since ASA is not a load-balancer, it should not be done on it.

Best is to connect a router in front of your ASA, terminate the ISP on it and do PBR on the router.

Varun

Jon Marshall Tue, 10/11/2011 - 09:33

Varun

How does this work ?

For a start i thought the ASA did not support multiple default-routes pointing out of different interfaces.

And even if it did how does the NAT setup for 172.16.x.0 "tie" it to the outside_new interface ?  Because doesn't the routing define which interface is used for NAT ie. assuming you could have 2 default-routes to different interfaces - 

172.16.5.1 comes in on the inside wirth destination any address. How does the ASA know to use the default-route pointing to 2.2.2.2 ?

Are yoy saying the default-route via 1.1.1.1 is rejected because there is no global (outside) 2 corresponding config ?

Jon

varrao Tue, 10/11/2011 - 09:40

Ooops I must have mixed it up, what I wanted to was:

route outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

I mixed it up   But my advise still remains, its just a workaround and not a tested thing, even I have never tested it, so the result might differ, from setup to setup and router shoudl only be used for tyhis purpose.

Glad you pointed it out, nothing beats your eye

Jon Marshall Tue, 10/11/2011 - 09:52

Varun

No problem and believe me i mix things up quite often myself

To be honest i am posting for my own clarification on this as much as anything else. And its the NAT config i am intrigued by.

With your config when a packet comes in on the inside interface from 172.16.5.1 with a destination of 15.15.15.1 the routing table is looked up and the routes chosen is via the outside interface ie. next-hop 1.1.1.1. But there is no corresponding global ie.

nat (inside) 2 172.16.x.0 255.255.0.0

but there is no global (outside) 2  statement so  i would have thought the ASA would simply drop the packet because it cannot NAT it.

If the destination was for 130.15.15.1 for example then yes it would work.

Just want to be sure i am not misunderstanding how the nat/global routing interactions wortk.

Edit - will Cisco ever support PBR for the ASA, seems like these sort of questions come up all the time

Jon

coto.fusionet Tue, 10/11/2011 - 09:58

Hi Jon and Varun!

Thank you both :-)

I have the same exact doubt as Jon.

This config won't work:

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 2

Because (i think) the fact of a better route in the routing table (AD of 1)

The ASA won't let me allow this:

route new_outside 0 0 y.y.y.y 1 --> complains about the route

Federico.

Jon Marshall Tue, 10/11/2011 - 10:04

Hi Federico

No that definitely won't work. You cannot have multiple default-routes pointing out of different interfaces on the ASA. You can have multiple default-routes pointing out of the same interface but that wouldn't help in your situation.

I agree with Varun that the ASA really isn't designed to be a load-balancer and as it doesn't support PBR you really are going to struggle doing this. What you need is PBR on a router(s) that are outside of the ASA but if your ISP controls those routers there is not a lot you can do.

Jon

varrao Tue, 10/11/2011 - 10:07

Yes thats correct what Jon pointed out and I think your situation is different to whats mentioned in the doc, the doc is if half of the network needs to be sent through ISP1 and the other half from ISP2:

route outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

Have a look at the network and subnet masks being used.

I don't think so it shoudl work the way we are trying to, since I ahev also never tested it. The only thing that I have tested is if your 172.16.x.0 is connected behind another interface rqather than inside, lets say inside_2, then this can be accomplished:

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

In teh config above, we are using the static command to route the traffic through new_outside.

Varun

coto.fusionet Tue, 10/11/2011 - 10:17

Hi,

I agree with you both, and I really don't like the situation ;-)

But I'm wondering why the following won't work:

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

I agree the ASA is not supposed to do this, but just wondering why it does not work like the logic says.

I thought with the above (don't have two default gateways out two different interfaces), just have two routes via ISP2 sending ''all'' traffic out. With the proper NAT configuration?

Thank you guys again for all your input  :-)

Correct Answer
Jon Marshall Tue, 10/11/2011 - 10:45

Federico

The problem is that even if you could do this ie. i assume you mean

route outside 0.0.0.0 0.0.0.0 x.x.x.x

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y

and i'm not sure it would allow you but lets say you could. The default-route via outside would never be used because the 2 routes via new_outside are more specific and the more specific routes are always chosen so all traffic would then go via outside2.

If instead you had -

route outside 0.0.0.0 128.0.0.0 x.x.x.x

route outside_new 128.0.0.0 128.0.0.0 y.y.y.y

then this would split traffic down the links but still based on destination not source ie. all destinations from 1.x.x.x -> 126.x.x.x would be sent via the outside interface and destinations from 128.x.x.x upwards would be sent to outside_new.

There is no way to specify which route to used based on source IP on the ASA.

Jon

Correct Answer
varrao Tue, 10/11/2011 - 10:57

Thats right as Jon said.

The doc is for splitting the traffic going to the internet based on destination ip, so your requirement doesn't fall into it. Source based routing is not an option on ASA, so that makes it more difficult for you.

Varun

coto.fusionet Tue, 10/11/2011 - 11:09

I am more clear now :-)

So, besides being an awful solution with the ASA as we all know, it is not even possible correct?

Just to confirm since ''not supported'' does not neccessarily means ''can't possibly do it''!

Thank you,

Federico.

Correct Answer
varrao Tue, 10/11/2011 - 11:20

Yes, this is not possible on ASA, I have never been able to do it, until anyone can come up with any magic solution to it , I would definitely put it in unsupported configuration only.

Thanks,

Varun

varrao Tue, 10/11/2011 - 11:54

Cheers Fed and cheers to you as well Jon, it was a useful discussion.

Varun

varrao Tue, 10/11/2011 - 12:11

Yup Jon, you've hit the nail on its head, thats what I meant but never realized that it got lost in the discussion and got overlooked... lol . I am very confident about that since its something I have tested and works as expected. In this config, we can eliminate the route issue and just route packets based on DNAT, so the firewall would not even look for the default route. Only condition -----> 172.16.x.x shoudl be behind another separate interface.

Thanks,

Varun

Correct Answer
Jon Marshall Tue, 10/11/2011 - 11:14

Federico

Assuming we are talking about the original issue, ie. 172.16.x.x via outside_2, as  far as i can see it's just not possible to do on an ASA rather than simply being unsupported.

 

Jon

Jon Marshall Tue, 10/11/2011 - 12:09

Federico / Varun

A thought just occured. Varun wrote -

I don't think so it shoudl work the way we are trying to, since I ahev also never tested it. The only thing that I have tested is if your 172.16.x.0 is connected behind another interface rqather than inside, lets say inside_2, then this can be accomplished:

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

I have never done this so i may be misunderstanding but Varun seems to be suggesting with this config all traffic from inside2 would be routed out of new_outside. If this is the case then either -

1) do you have a spare interface you could route the 172.16.x.x addresses to on the inside

or

2) if you don't could you use subinterfaces on the inside interface and route just the 172.16.x.x to one of the subinterfaces and the rest of the traffic to the other

Varun, if i have misunderstood what that config does please let me know.

Jon

coto.fusionet Tue, 10/11/2011 - 12:11

It will be a matter of just having another ''inside'' interface (subinterface)?

Federico.

Jon Marshall Tue, 10/11/2011 - 12:19

Federico

It looks like it. As i say i personally haven't done it but Varun has and his knowledge of the ASA is better than mine.

You would need a separate inside interface, whether physical or a subinterface and you would need to route the 172.16.x.x traffic to that subinterface.

Varun - presumably you would still need to NAT the source IPs 172.16.x.x to the outside interface so they are returned to the outside_new interface ie.

nat (inside) 2 172.16.0.0 255.255.0.0

global (outside_new) 2 interface

because i'm assuming that the static statement doesn't take care of natting source IPs ?

Jon

varrao Tue, 10/11/2011 - 12:40

Oh yes, thats for sure, that part of the config is only for routing the traffic out of the new_outside interface. But with out source nat it would not work. So that nat global statment is definitely needed.

Varun

coto.fusionet Tue, 10/11/2011 - 12:46

Varun, Jon,

So the config would look like this?

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

nat (inside_2) 2 172.16.0.0 255.255.0.0

global (outside_new) 2 interface

Assuming:

inside_2 --> New Inside interface (subinterface)

new_outside --> ISP2

In this way all traffic sourced from 172.16.x.x arrived to the ASA, it is sent to ISP2?

Federico.

coto.fusionet Tue, 10/11/2011 - 13:02

Too bad I don't think we can do it via another interface in this particular case!

But good to know!!!  Thank you guys one more time ;-)

varrao Tue, 10/11/2011 - 13:05

No issues but this config should definitely work, so anytime you can try it, just give it a shot and do let us know the outcome.

Varun

Actions

Login or Register to take actions

This Discussion

Posted October 11, 2011 at 8:27 AM
Stats:
Replies:26 Avg. Rating:5
Views:727 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446