Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
11
Replies

Policy Based Routing on ASA

Andrew White
Level 2
Level 2

‎02-21-2014 05:28 AM - edited ‎03-11-2019 08:48 PM

Hello,

We have 2 ISP lease lines for our internet traffic.  One is a 50mb line which is our primary and the other is a 10mb line which is our backup line.  THey are just working as an HSRP.  Thing is we pay gor the 10mb line but never use it, I suggested we use GLBP, but the ISP want to charge as, Our ASAs (active/standby) just point to the virtual IP.

I was wondering if use the 10mb line for none critical traffic like ftp etc using PBR on the ASA?

Thanks

Labels:
0 Helpful
11 Replies 11

James Leinweber
Level 4
Level 4

‎02-21-2014 07:48 AM

Unfortunately, ASA's don't do PBR.  You'd have to stick an actual router in front of it.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

Andrew White
Level 2
Level 2
In response to James Leinweber

‎02-24-2014 04:04 AM

Thanks, I would have a single point of failure then, I guess I woudl just need to add 2 routers in HSRP or GLBP?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Andrew White

‎02-24-2014 04:48 AM

As Andrew has mentioned the ASA doesn't support HSRP or GLBP..etc.  But you can achieve a type of loadbalancing and redundant setup with an active/active failover configuration.

What model ASA are you running?

Depending on how large your network is (and if your ASAs support it), you might want to look into setting up your ASAs in an Active/Active failover.  then you could have one set of VLANs use the context that connects to the 50Mb with the standby context on the second ASA and the Active context on the second ASA connects to the 10Mb line with the standby context on the first ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Andrew White
Level 2
Level 2
In response to Marius Gunnerud

‎02-24-2014 07:30 AM

We have 2 x 5520s in Active/Standby which forward to a virtual IP where our 2 ISP routers are working in HSRP mode.  As PBR isn't support it was suggested to put another router in between the 2 ASAs and 2 IPS routers, but my concern was this would be a single point of failure and perhaps we could had 2 PBRs there instead working in HSRP/GLBP mode?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Andrew White

‎02-24-2014 09:41 AM

If you are fixed on using routers between the ASA and the ISP routers then for complete redundancy you would need 2 routers.  Otherwise, as you said, you will have a single point of failure.

If you use GLBP you would not need PBR configured as traffic would be balanced over the two connection.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Andrew White
Level 2
Level 2
In response to Marius Gunnerud

‎02-24-2014 09:55 AM

Not balanced, critical data over our 50mb and non critical over the 10mb line.  I was going to define this using acls and apply to a route map but use 2 routers in hsrp mode between the ASAs and ISP routers.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Andrew White

‎02-24-2014 10:04 AM

In this case each router would need a connection to both the 50Mb and 10Mb lines.  The ISP will maybe charge extra for this.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Andrew White
Level 2
Level 2
In response to Marius Gunnerud

‎02-24-2014 10:17 AM

The ISP routers and outside of ASAs are in the same clan, I guess the pbr routers would just go in the same.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Andrew White

‎02-24-2014 11:41 AM

In that case yes.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2014 11:49 AM

Andrew

They cannot be in the same vlan as the new routers would introduce a L3 hop.  There are quite a few other issues -

1) GLBP gives you nothing as the source mac is always the active firewall and GLBP load balances based on mac address so it is not a solution even if the ISP would do it for you.

2) you would either have to readdress the ASAs or the ISP routers because you now need two subnets

3) because of 2) this might very well mess up your NAT because your ISP will currently have routes to any public IPs you are using to the ASA outside interface. They would now have to point to the new routers which means you would have to move the NAT to the new routers which would be a big change

4) a possible way around 3) would be to have a privately addressed link between your new routers and the ISP but the ISP would still need to update their routes to point to the new private IP for the HSRP active new router. This would mean you could leave the public addressing between your ASA outside interfaces and the new routers inside interfaces  (** see note at the bottom)

5) you would also need two new switches to interconnect your new routers to the ISP routers unless you can connect each router to evey other router but even if the ISP had spare interfaces on their routers i suspect they would charge a bit for this.

Note you may be able to use the existing switches and simply create a new vlan for these connections.

So if you introduced the new routers you would -

1) have a common vlan/IP subnet between your ASAs and the new routers. This should be the current IP subnet used for connectivity between the ASAs and the ISP routers

2) make one router HSRP active and configure PBR.  You also need to configure PBR on the standby for failover.

3) run HSRP between the outside interfaces of your new routers and the ISP routers and use private addressing. The ISP would need to update their routes for your public subnet pointing to the HSRP active router.

4) there is not much point in running HSRP on the ISP routers as you are using PBR to specifically pick the next hop so on the new routers the default route would point to the 50Mbps router and then PBR for the other router.

 

This is not trivial and you need to decide whether it is worth all the reconfiguration plus the cost of the new routers (and maybe switches depending on spare ports). As i say running GLBP on the ISP routers gives you nothing so the only thing they could do for you would be PBR directly on their routers which i'm not sure they would want to do.

** I am assuming you could use a private subnet between the ISP routers and your new routers and the ISP simply has a route for the public IP subnet used on the ASA pointing to the private HSRP VIP on your new routers. It is just basic routing but i have never done it before so you would most definitely need to talk this through with your ISP to see if it would work from their perspective as i can't guarantee it would work in your situation.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2014 11:58 AM

Andrew

You may also want to look at this document which presents some other options -

https://supportforums.cisco.com/docs/DOC-13015

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card