How to spplit different LAN Segment in two ISP Service

a.guillen · ‎02-17-2014

Hi Forum

I have a doubt how to implement a new scenario

My customer have a 5520 (with four Interfaces) firewall with the following version:

ASA Version 8.2(5) and his configuration is

interface GigabitEthernet0/1

nameif lan1

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif lan2

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/0

description ISP1

nameif outside

security-level 0

ip address a.b.c.252 255.255.255.248

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

access-list Public_access_in extended permit icmp any any

access-list ACL-RED-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0 255.

access-list ACL-INSIDE-NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0

!

icmp permit any outside

icmp permit any inside

!

global (outside) 1 interface

nat (inside) 0 access-list ACL-INSIDE-NONAT

nat (lan1) 1 192.168.1.0 255.255.255.0

nat (lan2) 1 192.168.2.0 255.255.255.0

!

static (lan2,outside) tcp a.b.c.253 8080 192.168.2.11 8080 netmask 255.255.255.255

static (lan2,outside) tcp a.b.c.253 8081 192.168.2.13 8081 netmask 255.255.255.255

!

access-group Public_access_in in interface outside

!

route outside 0.0.0.0 0.0.0.0 a.b.c.249 1

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

!

! The rest is omited

So, the LAN's segment (192.168.1.0/24 and 192.168.2.0/24) leave to Internet by outside Interface and also I have set a VPN between our side and the remote LAN site (192.168.112.0/24)

Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP.

He want that this New LAN segment leave by the new ISP Provider and possible a new VPN between this new segment to another side will be appear.

In resumen:

The old configuration is not going to change.

For the new service LAN 192.168.3.0/24 must be go to internet using the seconf ISP service z.y.x.194 255.255.255.248.

What change I must be do in the interface G0/3

I suppose that I must be create subinterface in the interface G0/3, like this.

! line 1

interface GigabitEthernet0/3

no nameif

no security-level 0

no ip address

no shutdown

! line 2

interface GigabitEthernet0/3.100

vlan 100

nameif lan3

security-level 50

ip address 192.168.3.1 255.255.255.0

! line 3

interface GigabitEthernet0/3.200

vlan 200

nameif outside2

security-level 0

ip address x.y.z.194 255.255.255.248

! line 4

route outside2 0.0.0.0 0.0.0.0 x.y.z.193 250

! line 5

global (outside2) 2 interface

nat (tikary) 2 192.168.3.0 255.255.255.0

! line 6

access-group Public_access_in in interface outside2

Also from the segment 192.168.2.x/24 must to access to other LAN Segment (192.168.1.0/24 and 192.168.3.0/24)

Please correct me, or you have any other reference to observe like a reference.

Regards

ARGB

Marius Gunnerud · ‎02-18-2014

Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP.  He  want that this New LAN segment leave by the new ISP Provider and  possible a new VPN between this new segment to another side will be  appear.

If I am understanding correctly, your company has now accuired a new ISP connection and you want this new subnet to use that new connection for internet and VPN? This is partially not possible. You wil NOT be able to use this connection as an active link to the internet.

the ASA only supports one active default gateway at any given time. If you want to use the second ISP connection actively, you need to either put a router or another firewall into the mix.

As for the VPN link You can set up a seperate site to site VPN that specifies the 192.168.3.0/24 subnet as the source and the remote site as the destination. So long as the remote site has a seperate tunnel group for its connection this should work.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Vasilii Mikhailovskii · ‎02-18-2014

Hello.

It's possible to run ASA in multiple context mode, having different default gateways and set of VPNs.

But you need to update your firware to version 9.x

If you choose to stay with 8.2(5), then, I would agree with Marius, you need additional router to do the job.

a.guillen · ‎02-20-2014

Hi MikhailovskyVV.

These are the versions of my device:

ASA> show version

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

I can download the following images "asa913-k8.bin" and "asdm-715.bin"

ASA# dir flash:

Directory of disk0:/

100 -rwx 15390720 11:59:42 Mar 13 2013 asa825-k8.bin

101 -rwx 16280544 15:11:44 Mar 13 2013 asdm-645.bin

102 -rwx 28672 19:00:00 Dec 31 1979 FSCK0000.REC

3 drwx 4096 19:03:10 Dec 31 2002 log

10 drwx 4096 19:03:22 Dec 31 2002 crypto_archive

11 drwx 4096 19:03:24 Dec 31 2002 coredumpinfo

104 -rwx 4096 19:00:00 Dec 31 1979 FSCK0001.REC

105 -rwx 12998641 15:07:10 Mar 13 2013 csd_3.5.2008-k9.pkg

106 drwx 4096 15:07:14 Mar 13 2013 sdesktop

107 -rwx 6487517 15:07:48 Mar 13 2013 anyconnect-macosx-i386-2.5.2014-k9.pkg

108 -rwx 6689498 15:07:56 Mar 13 2013 anyconnect-linux-2.5.2014-k9.pkg

109 -rwx 4678691 15:08:00 Mar 13 2013 anyconnect-win-2.5.2014-k9.pkg

255320064 bytes total (192139264 bytes free)

ASA# show version

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ASA up 1 day 18 hours

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is e4d3.f112.0e9c, irq 9

1: Ext: GigabitEthernet0/1 : address is e4d3.f112.0e9d, irq 9

2: Ext: GigabitEthernet0/2 : address is e4d3.f112.0e9e, irq 9

3: Ext: GigabitEthernet0/3 : address is e4d3.f112.0e9f, irq 9

4: Ext: Management0/0 : address is e4d3.f112.0ea0, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 750

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX171180JB

Running Activation Key: 0xe638dc68 0xf4a83e3e 0xcc129924 0xb180fcc0 0x0b190e9d

Configuration register is 0x1

Configuration last modified by enable_15 at 05:57:50.617 PEST Wed Feb 19 2014

ASA#

Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).

My doubt is if exist any other license that will be afected during the upgrade. As you can see exist any other files in the flash memory and some features related to the license appear in the command "show version" and at the final line appear a message "This platform has an ASA 5520 VPN Plus license". My doubt is "after the upgrade (from 8.2 to IOS 9.1) these features will be change, any license will be afected????.

The object final is the following:

I have in this moment three LAN's segment (for example lan1, lan2 and lan3) and two WAN's (isp1 and isp2)

lan1 and lan2 leave for isp1 and exits VPN (site to site) connection between lan1 with different site. It in this moment is operation with any problem.

The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site. This requirement I can not do it with 8.2 IOS Version. This requirement is like a PBR in router.

The version 9.1 can handle this feature (PBR)

Please let me know

Regards

Andres

Marius Gunnerud · ‎02-20-2014

Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).

You can not upgrade directly from 8.2(5) to 9.1. You will need to first upgrade to 8.4(6) and from there you can upgrade to 9.1. Keep in mind that there are memory requirements when upgrading to 8.3 and higher. The minimum memory requirement for the 5520 when upgrading to 8.3 or higher is 2GB.

My doubt is if exist any other license that will be afected during the upgrade

You should not have any issues with your licenses when upgrading. But as when doing any major change you should make sure you have a backup of your licenses and configuration. If you have lost this or forget to take a backup contact Cisco licensing for further help licensing@cisco.com

The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site

In this case you must use active/active failover setup. you can configure this when using 8.2(5) and there is no need to upgrade to 9.1...yet.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_active.html

The version 9.1 can handle this feature (PBR)

No ASA can do PBR. The ASA is a firewall not a router. If you want to do PBR then you need to insert a router into your network. You can manipulate traffic to an extent by using static routing and NAT but anything past that you will not be able to.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts