what to use in this scenario

Lasandro Lopez · ‎07-19-2013

I've TWO Cisco ASA firewalls that connects to two different ISP, and internally with one 3rd party switch, that don'w support route map.

ASA01 distribute its default static route with metric 201

router ospf 1

network 10.1.1.0 255.255.255.0 area 0

log-adj-changes

default-information originate metric 201

ASA02 distribute its default static route with metric 202

router ospf 1

network 10.1.1.0 255.255.255.0 area 0

log-adj-changes

default-information originate metric 202

The third party switch support only osfp, and has this configuration:

router ospf 1

network 10.1.1.0 255.255.255.0 area 0

network 172.17.0.0 255.255.255.0 area 0

network 172.16.1.0.255.255.0 area 0

and this vlans:

VLAN 10 - IP 10.1.1.1

VLAN 11 - IP 172.17.0.1

VLAN 20 - IP 172.16.1.0

Now, the scenario is like this:

One server that is connected to VLAN 11 with IP 172.17.0.2, and gateway the IP of VLAN 11 172.17.0.1 have to route its traffic to internet via ASA02.
But in current situation, it will forward it to ASA01.

the switch don't support any type of route map, so what can i do?
is something i could use on Cisco ASA?
or i've to use the CMD commands from Windows Server route add .....?
What are your suggestions?
Regards!

Reza Sharifi · ‎07-19-2013

If the 3rd party switch does not support route-map, PBR, etc.. then physically connect the 3rd party switch to ASA02 and only add vlan 11 to the link.

HTH

Lasandro Lopez · ‎07-21-2013

Hi Reza!
You mean on 3rd party switch to add to ospf only IP of VLAN 11, or something else?
i'm not so clear, how the server will forward all its traffic from 3rd party switch to Cisco ASA02.
Still waiting for your suggestions.
Regards!

Reza Sharifi · ‎07-21-2013

Hi,

Physically connect the 3rd party switch to ASA02 (if it is not connected currently) and just add vlan 11 to that link. Add default gateway of 172.17.0.1 to ASA02. And since ASA02 has connectivity to the ISP, then the server traffic with IP 172.17.0.2 will go out ISP 2.

HTH

Lasandro Lopez · ‎07-21-2013

Hi there!
You mean i've to remove OSPF on ASA02 and to third party switch?

I'm not clear.
The picture is below.
The goal: TO ROUTE THIS SERVER TRAFFIC VIA ISP02

Reza Sharifi · ‎07-21-2013

Hi Lasandro,

One option would be if the 3rd party switch supports vrf lite, you could put vlan 11 and the outgoing interface to ASA2 in a vrf. This way the traffic coming from server 172.17.0.2 will be routed via ASA2.

If it does not support vrf, then you can use the 3rd party switch as a layer-2 device only (no ospf) and add vlan 11 to the link that connects to ASA2 with default gateway on ASA2. All other vlans gateway will be on ASA1.

Who is the vender for this switch and what model?

HTH

Lasandro Lopez · ‎07-21-2013

But i've a lot of VLANs on 3rd party switch, that must connect with VPN Peers that will be connected to both ASAs.
So ofpf, help me reach the devices/servers on other vlans.

Lasandro Lopez · ‎07-21-2013

Can i use route-map on ASA1, to route the traffic from Server, to ASA02?

Reza Sharifi · ‎07-21-2013

no, once the traffic is in ASA1, it will route it out to ISP1

Who is the vendor for your switch?

Lasandro Lopez · ‎07-21-2013

Dell.
so i'm not clear in your suggestion.

Reza Sharifi · ‎07-21-2013

If you want to use the Dell switch as layer-3 with OSPF, then I would ask Dell about VRF support on their switch.

Lasandro Lopez · ‎07-21-2013

the dell don't support VRF.
So i'm not clear with your suggestion