cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
0
Helpful
10
Replies

ASA and dual isp, coroprated net over isp1, guest net over isp2?

alig.norbert
Level 4
Level 4

Hi there,

Here my lab setup:

- internal net (corporate)

- internal net (guest)

-outside (isp1)

-outside (isp2)

What I want to achieve is:

- corporate net over ips1

- guest net over isp2

- no PBR router

I've alredy set up, that http and https is routing over isp2 (corporated and guest net).

http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/

How can a nat rule be set, that corporate net is going through isp1, guest through isp2.

I know, tha ASA can still not doing PBR and multiple context is not an option because VPN is needed.

Here the nat already done:

static (isp2,inside) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0

static (isp2,inside) tcp 0.0.0.0 443 0.0.0.0 443 netmask 0.0.0.0

static (isp2,guest) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0

static (isp2,guest) tcp 0.0.0.0 443 0.0.0.0 443 netmask 0.0.0.0

Thanks for hints...

Norbert

Sent from Cisco Technical Support iPad App

1 Accepted Solution

Accepted Solutions

Hello Alig,

That is correct, the ASA can only have one route attached to it's routing table based on a destination.

That being said PBR is not supported and as you suggested a Router outside the ASA will do the trick for you.

You can provide redundancy using SLA but that's it.

Mark the question as answered if there is no other question we can answer from you

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

10 Replies 10

b.c.jenkins
Level 1
Level 1

Hi Norbert,

You need to set up dynamic PATs. The below example is from version 8.4 and may be different based on yours. First you setup the network objects, then the NAT.

I hope this helps.

object network inside1-network-object

subnet 192.168.1.0 255.255.255.0

description Corporate Network

object network inside2-network-object

subnet 192.168.2.0 255.255.255.0

description Guest Network

object network outside1-network-object

host 10.1.1.1

description ISP 1

object network outside2-network-object

host 10.1.2.1

description ISP 2

nat (inside1,outside1) after-auto source dynamic inside1-network-object outside1-network-object

nat (inside2,outside2) after-auto source dynamic inside2-network-object outside2-network-object

I did the same thing with ASA using multiple contex (needs license for multiple context)

mode multiple

hostname ASA1
!
interface GigabitEthernet0
       description --- Connected to ISP1, will be part of context CONTEXT-VLAN-10 ---
       no shut
!
interface GigabitEthernet1
       description --- Connected to ISP2, will be part of context CONTEXT-VLAN-20 ---
       no shut
!
interface GigabitEthernet2
       description --- Trunk to LAN ---
       no shut
!
interface GigabitEthernet2.10
       description --- In context for VLAN 10 ---
       vlan 10
!
interface GigabitEthernet2.20
       description --- In context for VLAN 20 ---
       vlan 20
!

! ======= Add contexts and allocate interfaces ======

context admin
       config-url flash:/admin.cfg
       exit
!
context CONTEXT-VLAN-10
       description --- Context VLAN10 ---
       allocate-interface GigabitEthernet2.10 inside
       allocate-interface GigabitEthernet0 outside
       config-url flash:/CONTEXT-VLAN-10.cfg
       exit
!
context CONTEXT-VLAN-20
       description --- Context VLAN20 ---
       allocate-interface GigabitEthernet2.20 inside
       allocate-interface GigabitEthernet1 outside
       config-url flash:/CONTEXT-VLAN-20.cfg
      exit
!

!========== configure the contexts ===========
ASA1(config)# changeto context CONTEXT-VLAN-10
ASA1/CONTEXT-VLAN-10(config)# int outside
ASA1/CONTEXT-VLAN-10(config-if)# nameif outside
ASA1/CONTEXT-VLAN-10(config-if)# ip address 173.x.x.x 255.255.255.248


ASA1/CONTEXT-VLAN-10(config)# int inside
ASA1/CONTEXT-VLAN-10(config-if)# nameif inside
ASA1/CONTEXT-VLAN-10(config-if)# ip address 10.10.10.1 255.255.255.0


ASA1/CONTEXT-VLAN-10(config)# object-group network VLAN-10
ASA1/CONTEXT-VLAN-10(config-network-object-group)# network-object 10.10.10.0 255.255.255.0
ASA1/CONTEXT-VLAN-10(config-network-object-group)#exit
ASA1/CONTEXT-VLAN-10(config)# nat (inside,outside) source dynamic VLAN-10 interface
ASA1/CONTEXT-VLAN-10(config)# route outside 0.0.0.0 0.0.0.0 173.x.x.y


ASA1(config)# changeto context CONTEXT-VLAN-20

ASA1/CONTEXT-VLAN-20(config)# int outside
ASA1/CONTEXT-VLAN-20(config-if)# nameif outside
ASA1/CONTEXT-VLAN-20(config-if)# ip address 64.x.x.x 255.255.255.248

ASA1/CONTEXT-VLAN-20(config)# int inside
ASA1/CONTEXT-VLAN-20(config-if)# nameif inside
ASA1/CONTEXT-VLAN-20(config-if)# ip address 172.18.10.1 255.255.255.0

ASA1/CONTEXT-VLAN-20(config)# object-group network VLAN-20
ASA1/CONTEXT-VLAN-20(config-network-object-group)# network-object 172.18.10.0 255.255.255.0
ASA1/CONTEXT-VLAN-20(config-network-object-group)#exit
ASA1/CONTEXT-VLAN-10(config)# nat (inside,outside) source dynamic VLAN-20 interface
ASA1/CONTEXT-VLAN-10(config)# route outside 0.0.0.0 0.0.0.0 64.x.x.y


changeto system
wr memory all

      

Samuel Petrescu

Message was edited by: Samuel Petrescu

Thank,

I'll get a try on my lab.

Multiple context would be the solution,

but there is no release on the asa that supprts vpn/pppoe! Still not, despite other vendor has this function couple years ago.... Some work to do cisco !!!!!!

Sent from Cisco Technical Support iPhone App

Hi Bro

This requirement cannot be achieved in Cisco ASA. You can't have 2 default gateways in a networking product. Furthermore, Cisco ASA doesn't support the PBR feature.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

The only way possible is to convert the Cisco ASA into multiple context. With this you can have CONTEXT1 default gateway to ISP1 and CONTEXT2 default gateway to ISP2. However, in the event ISP1 goes down, there's no redundancy/failover to ISP2. Cisco ASA comes with 2 contexts, by default.

CONTEXT1 = GUEST + ISP1

CONTEXT2 = CORPORATE LAN + ISP2

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

I have done this without multiple contexts. You are correct that the ASA is not meant to do this, but it can do 2 ISPs with different metrics/distances. When you NAT the outbound traffic it will go out the correct interface. In my case I was routing all mission critical traffic over premium bandwidth and non-critical over lesser quality.

Noted bro. what you've done is dual ISP in Active/Standby mode. For this reason, you can do 2 ISPs with 2 different metrics/distances.By doing so, it's all for outbound traffic to the Internet.

Note: 1 internet connection per time.

You can't host any web servers on the inside, otherwise it will be troublesome to change the A record on the public dns all the time.

route outside 0 0 202.188.10.1 1

route outside 0 0 171.10.170.14 100

if you're happy with this approach, then that's fine. Just a quick suggestion, you might wanna enable IP SLA as well :-)

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Hi Brandon,

I don't think you cxan acheive the load balance the  ISP traffic based on the LAN connection type in ASA. ASA will not do the  source based routing as well like the router.

You have the below option as i personally feel.

One is you can have both the ASA's as a standalone to have one ASA having ISP1 and other ASA with ISP2.

Both the ASA's can have the seconday option has the backup ISP's defined in the static route with a different metric...

But you have to define the routes in the downstream devices to acheive it.

Or  you can have the router on the upstream to define the policy based  routes based on the NAT/PAT ip's that is coming from the ASA. You should  have your ISP link terminated on your LAN Endpoint Router to make it.

Or you can acheive with Active-Active failover

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html

Please do rate if the given information helps.

By

Karthik

Karthik,

I am not the OP. The OP never mentioned load balancing as a requirement. He asked how he could route corporate traffic out one ISP and guest out another. To me this sounds like maintaining two distinct pathways.

You CAN manage this with an ASA but it is not ideal. Sometimes you have to do things with the hardware available even though it is not ideal.

@Norbert - Set the distance metric on the 0.0.0.0/0.0.0.0 routes to something other than 0 and you can push specific destinations through a particular egress point using static routes with a smaller metric. This will be useful with your VPN.

Brandon

Hi there,

finally had some time to check it on my lab. Unfortunately, there ist (still) no way to assign,

- inside net -> outside (ISP1)

- inside1 net -> outside1 (ISP2)

because the ASA can only do destination based routing.

Tried to fake two default gateway but then, the best match will always be taken:

C    10.100.0.0 255.255.255.0 is directly connected, guest

C    109.164.A.B 255.255.255.248 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

S    0.0.0.0 128.0.0.0 [10/0] via 212.25.A.B, outside1

S*   0.0.0.0 0.0.0.0 [100/0] via 109.164.A.B, outside

S    128.0.0.0 128.0.0.0 [10/0] via 212.25.A.B, outside1

Well, then an IOS router will do the trick....

Thanks a lot,

Norbert

Hello Alig,

That is correct, the ASA can only have one route attached to it's routing table based on a destination.

That being said PBR is not supported and as you suggested a Router outside the ASA will do the trick for you.

You can provide redundancy using SLA but that's it.

Mark the question as answered if there is no other question we can answer from you

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: