01-29-2010 10:15 AM - edited 03-06-2019 09:30 AM
Hello,
I will soon have a second ISP terminating into my 7201 router, which I will need to route to a second ASA. I do not want to do any load balancing, the connections are totally seperate. I would just like someone to please verify my thoughs on how my route statements will look:
ISP1 --> ASA1
ISP2 --> ASA2
int gig0/0
des Uplink to ISP1
ip add 10.10.10.2 255.255.255.252
int gig0/1
des Uplink to ISP2
ip add 10.10.20.2 255.255.255.252
int gig0/2
des Uplink to ASA1
ip add 192.168.1.2 255.255.255.192
int gig0/3
des Uplink to ASA2
ip add 192.168.2.2 255.255.255.192
ip route 192.168.1.1 255.255.255.192 10.10.10.1
ip route 192.168.2.1 255.255.255.192 10.10.20.1
Am I correct in my thinking?
Thank you for your time,
Nick
01-29-2010 10:20 AM
ExceptionalInnovation wrote:
Hello,
I will soon have a second ISP terminating into my 7201 router, which I will need to route to a second ASA. I do not want to do any load balancing, the connections are totally seperate. I would just like someone to please verify my thoughs on how my route statements will look:
ISP1 --> ASA1
ISP2 --> ASA2
int gig0/0
des Uplink to ISP1
ip add 10.10.10.2 255.255.255.252
int gig0/1
des Uplink to ISP2
ip add 10.10.20.2 255.255.255.252
int gig0/2
des Uplink to ASA1
ip add 192.168.1.2 255.255.255.192
int gig0/3
des Uplink to ASA2
ip add 192.168.2.2 255.255.255.192
ip route 192.168.1.1 255.255.255.192 10.10.10.1
ip route 192.168.2.1 255.255.255.192 10.10.20.1
Am I correct in my thinking?
Thank you for your time,
Nick
Nick
Not sure what the routes are meant to be doing ie. -
ip route 192.168.1.1 255.255.255.192 10.10.10.1
says to get 192.168.1.0 255.255.255.192 network go to the ISP next-hop of 10.10.10.1 - that can't be right can it ?
Apart from that - are your 2 firewalls in failover mode are they just completely separate firewalls.
And on your 7200 router are you just going to have 2 default routes one to each ISP next-hop ?
Jon
01-29-2010 10:30 AM
Jon,
Thanks for the reply, sir.
The routes are intended to get traffic from the ISP LAN block (public IP addresses for mail, VPN, ect) to the ISP WAN side of the router.
The ASAs are completly seperate; completly seperate networks.
01-29-2010 11:12 AM
ExceptionalInnovation wrote:
Jon,
Thanks for the reply, sir.
The routes are intended to get traffic from the ISP LAN block (public IP addresses for mail, VPN, ect) to the ISP WAN side of the router.
The ASAs are completly seperate; completly seperate networks.
Sorry Nick, i'm obviously being a bit dense
I assume it's
ISP1 ----- | | ------ ASA1
|----- 7200 ---- | LAN
ISP2 ----- | | ------ ASA2
if this is the case you have used the 192.168.1.0/26 and the 192.168.2.0/26 to connect the ASAs to the 7200 router.
Those 2 ip route statements are they on the 7200 router ?. If so they won't be used anyway because the 7200 has directly connected interfaces in the 192.168.1.x and 192.168.2.x networks.
Can you clarify ?
Jon
01-29-2010 11:24 AM
Jon,
No worries at all, it is hard to clarify this in writing, my bad!
What the layout will be is this
ISP1 ---- ----ASA1---> LAN1
---7200---
ISP2 ---- ----ASA2---> LAN2
Our current route statement on the router is this: ip route 0.0.0.0 0.0.0.0 X.X.X.X
I believe that once the 2nd ISP is added I will need to staticly define the LAN block in each ISP to route out the proper WAN interface.
Does this help?
Nick
01-29-2010 11:34 AM
ExceptionalInnovation wrote:
Jon,
No worries at all, it is hard to clarify this in writing, my bad!
What the layout will be is this
ISP1 ---- ----ASA1---> LAN1
---7200---
ISP2 ---- ----ASA2---> LAN2
Our current route statement on the router is this: ip route 0.0.0.0 0.0.0.0 X.X.X.X
I believe that once the 2nd ISP is added I will need to staticly define the LAN block in each ISP to route out the proper WAN interface.
Does this help?
Nick
Nick
I understand now and those static routes won't work. Your'e going to need to use PBR (Policy Based Routing) for this ie.
access-list 101 permit ip 192.168.1.0 0.0.0.63 any
access-list 102 permit ip 192.168.2.0 0.0.0.63 any
route-map PBR permit 10
match ip address 101
set ip next-hop 10.10.10.1
route-map PBR permit 20
match ip address 102
set ip next-hop 10.10.20.1
int gi0/2
ip policy route-map PBR
int gi0/3
ip policy route-map PBR
Add the above config to your 7200 and remove the static routes.
Jon
01-29-2010 11:55 AM
Jon,
Ok, this makes sense! I don't deal with alot of WAN routing on a day to day basis. Your help is much appreciated!
Thanks,
Nick
01-29-2010 12:16 PM
ExceptionalInnovation wrote:
Jon,
Ok, this makes sense! I don't deal with alot of WAN routing on a day to day basis. Your help is much appreciated!
Thanks,
Nick
Nick
No problem, glad we got there in the end
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide