ASA and dual isp, coroprated net over isp1, guest net over isp2?

Answered Question
Aug 11th, 2012

Hi there,

Here my lab setup:

- internal net (corporate)

- internal net (guest)

-outside (isp1)

-outside (isp2)

What I want to achieve is:

- corporate net over ips1

- guest net over isp2

- no PBR router

I've alredy set up, that http and https is routing over isp2 (corporated and guest net).

http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/

How can a nat rule be set, that corporate net is going through isp1, guest through isp2.

I know, tha ASA can still not doing PBR and multiple context is not an option because VPN is needed.

Here the nat already done:

static (isp2,inside) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0

static (isp2,inside) tcp 0.0.0.0 443 0.0.0.0 443 netmask 0.0.0.0

static (isp2,guest) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0

static (isp2,guest) tcp 0.0.0.0 443 0.0.0.0 443 netmask 0.0.0.0

Thanks for hints...

Norbert

Sent from Cisco Technical Support iPad App

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 7 months ago

Hello Alig,

That is correct, the ASA can only have one route attached to it's routing table based on a destination.

That being said PBR is not supported and as you suggested a Router outside the ASA will do the trick for you.

You can provide redundancy using SLA but that's it.

Mark the question as answered if there is no other question we can answer from you

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
b.c.jenkins Sat, 08/11/2012 - 04:17

Hi Norbert,

You need to set up dynamic PATs. The below example is from version 8.4 and may be different based on yours. First you setup the network objects, then the NAT.

I hope this helps.

object network inside1-network-object

subnet 192.168.1.0 255.255.255.0

description Corporate Network

object network inside2-network-object

subnet 192.168.2.0 255.255.255.0

description Guest Network

object network outside1-network-object

host 10.1.1.1

description ISP 1

object network outside2-network-object

host 10.1.2.1

description ISP 2

nat (inside1,outside1) after-auto source dynamic inside1-network-object outside1-network-object

nat (inside2,outside2) after-auto source dynamic inside2-network-object outside2-network-object

alig.norbert Sun, 08/12/2012 - 12:08

Thank,

I'll get a try on my lab.

Multiple context would be the solution,

but there is no release on the asa that supprts vpn/pppoe! Still not, despite other vendor has this function couple years ago.... Some work to do cisco !!!!!!

Sent from Cisco Technical Support iPhone App

spetrescu Sat, 08/11/2012 - 06:47

I did the same thing with ASA using multiple contex (needs license for multiple context)

mode multiple

hostname ASA1
!
interface GigabitEthernet0
       description --- Connected to ISP1, will be part of context CONTEXT-VLAN-10 ---
       no shut
!
interface GigabitEthernet1
       description --- Connected to ISP2, will be part of context CONTEXT-VLAN-20 ---
       no shut
!
interface GigabitEthernet2
       description --- Trunk to LAN ---
       no shut
!
interface GigabitEthernet2.10
       description --- In context for VLAN 10 ---
       vlan 10
!
interface GigabitEthernet2.20
       description --- In context for VLAN 20 ---
       vlan 20
!

! ======= Add contexts and allocate interfaces ======

context admin
       config-url flash:/admin.cfg
       exit
!
context CONTEXT-VLAN-10
       description --- Context VLAN10 ---
       allocate-interface GigabitEthernet2.10 inside
       allocate-interface GigabitEthernet0 outside
       config-url flash:/CONTEXT-VLAN-10.cfg
       exit
!
context CONTEXT-VLAN-20
       description --- Context VLAN20 ---
       allocate-interface GigabitEthernet2.20 inside
       allocate-interface GigabitEthernet1 outside
       config-url flash:/CONTEXT-VLAN-20.cfg
      exit
!

!========== configure the contexts ===========
ASA1(config)# changeto context CONTEXT-VLAN-10
ASA1/CONTEXT-VLAN-10(config)# int outside
ASA1/CONTEXT-VLAN-10(config-if)# nameif outside
ASA1/CONTEXT-VLAN-10(config-if)# ip address 173.x.x.x 255.255.255.248


ASA1/CONTEXT-VLAN-10(config)# int inside
ASA1/CONTEXT-VLAN-10(config-if)# nameif inside
ASA1/CONTEXT-VLAN-10(config-if)# ip address 10.10.10.1 255.255.255.0


ASA1/CONTEXT-VLAN-10(config)# object-group network VLAN-10
ASA1/CONTEXT-VLAN-10(config-network-object-group)# network-object 10.10.10.0 255.255.255.0
ASA1/CONTEXT-VLAN-10(config-network-object-group)#exit
ASA1/CONTEXT-VLAN-10(config)# nat (inside,outside) source dynamic VLAN-10 interface
ASA1/CONTEXT-VLAN-10(config)# route outside 0.0.0.0 0.0.0.0 173.x.x.y


ASA1(config)# changeto context CONTEXT-VLAN-20

ASA1/CONTEXT-VLAN-20(config)# int outside
ASA1/CONTEXT-VLAN-20(config-if)# nameif outside
ASA1/CONTEXT-VLAN-20(config-if)# ip address 64.x.x.x 255.255.255.248

ASA1/CONTEXT-VLAN-20(config)# int inside
ASA1/CONTEXT-VLAN-20(config-if)# nameif inside
ASA1/CONTEXT-VLAN-20(config-if)# ip address 172.18.10.1 255.255.255.0

ASA1/CONTEXT-VLAN-20(config)# object-group network VLAN-20
ASA1/CONTEXT-VLAN-20(config-network-object-group)# network-object 172.18.10.0 255.255.255.0
ASA1/CONTEXT-VLAN-20(config-network-object-group)#exit
ASA1/CONTEXT-VLAN-10(config)# nat (inside,outside) source dynamic VLAN-20 interface
ASA1/CONTEXT-VLAN-10(config)# route outside 0.0.0.0 0.0.0.0 64.x.x.y


changeto system
wr memory all

      

Samuel Petrescu

Message was edited by: Samuel Petrescu

Ramraj.Sivagnanam Sat, 08/11/2012 - 18:59

Hi Bro

This requirement cannot be achieved in Cisco ASA. You can't have 2 default gateways in a networking product. Furthermore, Cisco ASA doesn't support the PBR feature.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

The only way possible is to convert the Cisco ASA into multiple context. With this you can have CONTEXT1 default gateway to ISP1 and CONTEXT2 default gateway to ISP2. However, in the event ISP1 goes down, there's no redundancy/failover to ISP2. Cisco ASA comes with 2 contexts, by default.

CONTEXT1 = GUEST + ISP1

CONTEXT2 = CORPORATE LAN + ISP2

P/S: If you think this comment is useful, please do rate them nicely :-)

b.c.jenkins Sat, 08/11/2012 - 19:29

I have done this without multiple contexts. You are correct that the ASA is not meant to do this, but it can do 2 ISPs with different metrics/distances. When you NAT the outbound traffic it will go out the correct interface. In my case I was routing all mission critical traffic over premium bandwidth and non-critical over lesser quality.

Ramraj.Sivagnanam Sat, 08/11/2012 - 19:34

Noted bro. what you've done is dual ISP in Active/Standby mode. For this reason, you can do 2 ISPs with 2 different metrics/distances.By doing so, it's all for outbound traffic to the Internet.

Note: 1 internet connection per time.

You can't host any web servers on the inside, otherwise it will be troublesome to change the A record on the public dns all the time.

route outside 0 0 202.188.10.1 1

route outside 0 0 171.10.170.14 100

if you're happy with this approach, then that's fine. Just a quick suggestion, you might wanna enable IP SLA as well :-)

P/S: If you think this comment is useful, please do rate them nicely :-)

nkarthikeyan Sun, 08/12/2012 - 03:15

Hi Brandon,

I don't think you cxan acheive the load balance the  ISP traffic based on the LAN connection type in ASA. ASA will not do the  source based routing as well like the router.

You have the below option as i personally feel.

One is you can have both the ASA's as a standalone to have one ASA having ISP1 and other ASA with ISP2.

Both the ASA's can have the seconday option has the backup ISP's defined in the static route with a different metric...

But you have to define the routes in the downstream devices to acheive it.

Or  you can have the router on the upstream to define the policy based  routes based on the NAT/PAT ip's that is coming from the ASA. You should  have your ISP link terminated on your LAN Endpoint Router to make it.

Or you can acheive with Active-Active failover

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html

Please do rate if the given information helps.

By

Karthik

b.c.jenkins Sun, 08/12/2012 - 03:45

Karthik,

I am not the OP. The OP never mentioned load balancing as a requirement. He asked how he could route corporate traffic out one ISP and guest out another. To me this sounds like maintaining two distinct pathways.

You CAN manage this with an ASA but it is not ideal. Sometimes you have to do things with the hardware available even though it is not ideal.

@Norbert - Set the distance metric on the 0.0.0.0/0.0.0.0 routes to something other than 0 and you can push specific destinations through a particular egress point using static routes with a smaller metric. This will be useful with your VPN.

Brandon

alig.norbert Wed, 08/29/2012 - 07:21

Hi there,

finally had some time to check it on my lab. Unfortunately, there ist (still) no way to assign,

- inside net -> outside (ISP1)

- inside1 net -> outside1 (ISP2)

because the ASA can only do destination based routing.

Tried to fake two default gateway but then, the best match will always be taken:

C    10.100.0.0 255.255.255.0 is directly connected, guest

C    109.164.A.B 255.255.255.248 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

S    0.0.0.0 128.0.0.0 [10/0] via 212.25.A.B, outside1

S*   0.0.0.0 0.0.0.0 [100/0] via 109.164.A.B, outside

S    128.0.0.0 128.0.0.0 [10/0] via 212.25.A.B, outside1

Well, then an IOS router will do the trick....

Thanks a lot,

Norbert

Correct Answer
Julio Carvaja Thu, 08/30/2012 - 11:27

Hello Alig,

That is correct, the ASA can only have one route attached to it's routing table based on a destination.

That being said PBR is not supported and as you suggested a Router outside the ASA will do the trick for you.

You can provide redundancy using SLA but that's it.

Mark the question as answered if there is no other question we can answer from you

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Julio

Actions

Login or Register to take actions

This Discussion

Posted August 11, 2012 at 2:49 AM
Stats:
Replies:10 Avg. Rating:5
Views:1259 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446