Solved: static route at host level?!

Keithshum · ‎11-14-2013

This is more liked a router question. But I need to implement it on an ASA5515-X, let see if it's possible to do so.

How can I only route one internal host to use a backup WAN link?

I check the "route" command on ASA, doesn't seem to be an option...

Thanks so much!

Jouni Forss · ‎11-14-2013

Hi,

The configuration would be something like this

nat (LAN,SECONDARY) source dynamic HOST interface destination static CLOUD CLOUD

And this would make the situation a lot simpler also. This is because the SECONDARY link would only be used for the destination IP address used under the "object network CLOUD". All other traffic from this host would continue to use the PRIMARY link.

The worse default route wouldnt really cause any problems with anything as its not active in the routing table. It only use would be in this case to forward the traffic towards the CLOUD IP address after the NAT configuration has chosen the correct egress interface SECONDARY for that destination IP address.

- Jouni

View solution in original post

Julio Carvajal · ‎11-14-2013

Hello Keith,

You are looking for PBR (Route based on a source IP address).

Unfortunetely this can't be accomplished on the ASA as it does not support PBR.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jumora · ‎11-14-2013

Q. Can Cisco 5500 Series ASA do a Policy Based Routing (PBR) like Cisco Router? For example, mail traffic should be routed to first ISP while http traffic should be routed to the second one.

A. Unfortunately, there is no way to do policy-based routing on the ASA at this time. It can be a feature that is added to the ASA in the future.
Note: The route-map command is used to redistribute routes between routing protocols, such as OSPF and RIP, with the use of metrics and not to policy route regular traffic as in routers.

Value our effort and rate the assistance!

jumora · ‎11-14-2013

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

Value our effort and rate the assistance!

Jouni Forss · ‎11-14-2013

Hi,

Even though PBR itself is not supported by the ASA you can simulate similiar operation with NAT configurations.

An example configuration would be

interface GigabitEthernet0/0

description Primary ISP

nameif PRIMARY

security-level 0

ip address 192.168.101.2 255.255.255.0

!

interface GigabitEthernet0/1

description Secondary ISP

nameif SECONDARY

security-level 0

ip address 192.168.102.2 255.255.255.0

!

interface GigabitEthernet0/2

description LAN

nameif LAN

security-level 100

ip address 10.10.10.1 255.255.255.0

route PRIMARY 0.0.0.0 0.0.0.0 192.168.101.1 1

route SECONDARY 0.0.0.0 0.0.0.0 192.168.102.1 254

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

object network HOST

host 10.10.10.10

nat (LAN,SECONDARY) source dynamic HOST interface destination static ALL ALL

nat (LAN,PRIMARY) after-auto source dynamic any interface

The problem with the above setup is the fact that the NAT configuration will start to play even larger role for this single host. The above NAT configuration for the HOST catches traffic to ALL destinations address and forwards them to the SECONDARY interface and uses its lesser default route.

If the HOST needs to access other LAN/DMZ interface on the ASA you MUST configure additional NAT configurations before the special NAT rule for the SECONDARY interface.

So I cant really give you an exact configuration unless I know your setup specifically.

Hope this helps

- Jouni

jumora · ‎11-14-2013

The problem with that configuration would be that in most cases if the secondary link fails and you still need to route traffic you won't have a failover mechanism because you are forcing traffic through secondary interface, which in many cases it is not desired.

Since there is a lot to consider Cisco does not recommend this configuration

Value our effort and rate the assistance!

Jouni Forss · ‎11-14-2013

Hi,

Yes, the configuration is most likely something that is not good for every situation. I am not sure if its something that would be a good choice in the long run. It is something that will get the job done for someone that want to accomplish this kind of behaviour but also requires the user to understand how it behaves and how possible new NAT configurations need to be positioned for them to work correctly.

If the user wishes any kind of Failover of the WAN link for this single HOST he would have to manually remove the mentioned NAT configuration for the traffic to match to the normal Dynamic PAT configuration located at a lower Section.

The correct way would probably be to rather use a Router infront of the ASA and have it connect to both of the ISP links and perform PBR on the Router. We dont do this kind of NAT configurations on our production environment its (PBR) always done on the 6500/7600 core devices.

Would be great if the ASA would support the same kind of scripting as the routers Could play so much more with the NAT operation and traffic forwarding with the ASA. Not that it would be anywhere near user friendly anymore but I would be happy to test

- Jouni

Keithshum · ‎11-14-2013

Thanks all for helping!

After posting, I was looking into route-map actually and got excited!

However, knowing it's not going to work on ASA (not even 9.1.2?!), just quite disappointed...

Jouni, we basically just want that host to use the backup ISP for a specific destination. So that I should have something like this:

object network HOST

host 10.32.2.90

object network CLOUD

host 1.1.1.1

nat (LAN,SECONDARY) source dynamic HOST interface destination static CLOUD interface

Yes, we have a floating static route set up for the backup WAN, so I guess this is not a good way to solve this issue.

Jouni Forss · ‎11-14-2013

Hi,

The configuration would be something like this

nat (LAN,SECONDARY) source dynamic HOST interface destination static CLOUD CLOUD

And this would make the situation a lot simpler also. This is because the SECONDARY link would only be used for the destination IP address used under the "object network CLOUD". All other traffic from this host would continue to use the PRIMARY link.

The worse default route wouldnt really cause any problems with anything as its not active in the routing table. It only use would be in this case to forward the traffic towards the CLOUD IP address after the NAT configuration has chosen the correct egress interface SECONDARY for that destination IP address.

- Jouni

Keithshum · ‎11-14-2013

I see, thanks Jouni and everyone!

Let's hope that the Policy Routing will be implemented to ASA in the new future release.

Messing w/ nat on a production environment is not something fun, esp with zero-tolerated situation...

So, we decided to put back the static route for that CLOUD destination only.