Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Cisco Asa 5515-X vlan base traffic segregation

Hi,

Do have cisco asa 5515-x with us we are terminating two ISP on it, also configured the vlan base traffic separation on both ISP (load Balancing kind thing)

Just want to know what are all parameter need to be taken into consideration at configuration.

Thanks in advance                  

Regards;

Anil.

  • Firewalling
5 REPLIES
Super Bronze

Cisco Asa 5515-X vlan base traffic segregation

Hi,

So are you saying that you want to use both ISP links at the same time?

If I am not totally wrong, there is no official way Cisco would recomend doing this. The only setup I think they support is using the other ISP as backup which only activates when the primary ISP fails.

Naturally when the ASA is virtualized into Multiple Context mode then you can use different ISPs for different Security Contexts.

And unofficial way of utilizing both ISPs would be to use the NAT configurations on the ASA to separate certain subnets/hosts traffic to certain ISP link.

- Jouni

New Member

Cisco Asa 5515-X vlan base traffic segregation

Thanks for the reply,

yes we want to utilise both link simultaneously, but here trffic seperation would be on VLAN base.

i think it has to work. Just required guide line.

Anil

Super Bronze

Re: Cisco Asa 5515-X vlan base traffic segregation

Hi,

The problem with this kind of setup if you are going to do it with a single ASA that is NOT virtualized is the fact that Cisco doesnt officially support this.

So I doubt you will be able to find a guide for this from Cisco.

However to give you an example what I have tested briefly for users here on Cisco Support Community

Lets say we have this situation

  • ASA running atleast 8.4(x) software level
  • 2 ISP connections
  • 2 LAN networks and 2 DMZ
  • Each LAN/DMZ pair would use different ISP link
  • Each LAN/DMZ pair should be able to access eachother

Lets then presume the following base information for the ASA

  • Interface names: ISP-1, ISP-2, LAN1, LAN2, DMZ1 and DMZ2
  • Networks: 
    • ISP1 - 1.1.1.0/29
    • ISP2 - 2.2.2.0/29
    • LAN1 - 10.10.10.0/24
    • LAN2 - 10.10.20.0/24
    • DMZ1 - 192.168.10.0/24
    • DMZ2 - 192.168.20.0/24

Then the very basic configurations (not all) should look something like this

INTERFACE CONFIGURATIONS

  • Only examples, you could for example be using Trunk interface with or without Etherchannel

interface GigabitEthernet0/0

description ISP-1

nameif ISP-1

security-level 0

ip address 1.1.1.2 255.255.255.248

interface GigabitEthernet0/1

description ISP-2

nameif ISP-2

security-level 0

ip address 2.2.2.2 255.255.255.248

interface GigabitEthernet0/2

description LAN1

nameif LAN1

security-level 100

ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet0/3

description LAN2

nameif LAN2

security-level 100

ip address 10.10.20.1 255.255.255.0

interface GigabitEthernet0/4

description DMZ1

nameif DMZ1

security-level 50

ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/5

description DMZ2

nameif DMZ2

security-level 50

ip address 192.168.20.1 255.255.255.0

DEFAULT ROUTES

  • ASA needs default route for each ISP
  • NAT configurations will handle choosing the actual egress interface after which the corresponding default route will be used

route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1

route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254

OBJECTS FOR NAT

  • These "object" and "object-group" are created purely for the use of NAT configurations. They hold with them essential networks to make the NAT work.

object network LAN1

subnet 10.10.10.0 255.255.255.0

object network LAN2

subnet 10.10.20.0 255.255.255.0

object network DMZ1

subnet 192.168.10.0 255.255.255.0

object network DMZ2

subnet 192.168.20.0 255.255.255.0

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

BASIC NAT CONFIGURATIONS

  • First we define a NAT that enables the LAN1/DMZ1 and LAN2/DMZ2 networks to connect between eachother with original IP addresses (ACLs still define what is allowed)
  • Second we define LAN1/DMZ1 NAT configurations that defines that ALL networks are found behind ISP-1
  • Third we define LAN2/DMZ2 NAT configurations that defines that ALL networks are found behind ISP-2
  • The reason for the using the destination network ALL is that the NAT will force the traffic destined to ALL networks through a specific ISP interface. If the ASA would use the routing table to make this choice then ISP-2 would NEVER be used for outbound connections. Only possinble inbound connection (for which there is no NAT configurations below)

nat (LAN1,DMZ1) source static LAN1 LAN1 destination static DMZ1 DMZ1 description LAN1 to DMZ1 traffic UNNATED

nat (LAN2,DMZ2) source static LAN2 LAN2 destination static DMZ2 DMZ2 description LAN2 to DMZ2 traffic UNNATED

nat (LAN1,ISP-1) source dynamic LAN1 interface destination static ALL ALL description Default PAT for LAN1 ISP-1 traffic

nat (DMZ1,ISP-1) source dynamic DMZ1 interface destination static ALL ALL description Default PAT for DMZ1 ISP-1 traffic

nat (LAN2,ISP-2) source dynamic LAN2 interface destination static ALL ALL description Default PAT for LAN2 to ISP-2

nat (DMZ2,ISP-2) source dynamic DMZ2 interface destination static ALL ALL description Default PAT for DMZ2 to ISP-2

The VERY VERY IMPORTANT thing to notice with configuring such a NAT is that the NAT order will be playing an even bigger role than in normal users ASA configuration.

You will be essentially configuring all NAT configurations as Manual NAT in Section 1

So lets say you needed to add Static NAT for servers then those configurations would be added between the LAN -> DMZ and LAN/DMZ -> ISP NAT configurations. If they would simply be added wihtout ordering numbers then the Dynamic PAT configuration would override them.

So as you might see, this will create a configuration that will require a lot more carefull consideration when creating rules.

As its not officially supported way of accomplishing this from Cisco you might also be more likely to run into problems with the NAT configurations.

I will also have to say that this is not something that I have used in a production environment either, just briefly tested. Also I wrote this all out of my head so it might contain some typos or errors.

Hope this helps though

Please do remember to mark a reply as the correct answer if it answered your question.

Also feel free to ask more if needed

- Jouni

Super Bronze

Re: Cisco Asa 5515-X vlan base traffic segregation

Corrected typo in the other "route" command

- Jouni

New Member

Thanks for testing this for

Thanks for testing this for users. I wanted to give your 5 stars but for some reason it does not allow me to go beyond 2. Any reason?

411
Views
2
Helpful
5
Replies