Routing seperate VLANs to seperate firewalls / ISPs
I have some questions and hope someone can help! I work with a large network (4000+ users). Currently Internet traffic is routed through a single PIX 515E. A new ASA5540 was purchased and we have setup a connection to a new ISP.
I would like to transition our VLANs separately to the new ASA. Mainly, I am looking at configuring a test VLAN and having it routed to the new connection, but maintain our internal routes. Once tests are complete, I need to be able to move one or two VLANs with users over to the new connection for further testing.
Our end goal will be to have email and guest internet access on the old ISP connection through the PIX, and have in-house internet access and remote access through the new connection using the ASA. I'm looking for a way I can change the default route for specific VLANs or connections (the email server), and maintain the internal routing (EIGRP) for those VLANs. Currently there is a default route to the PIX that is set statically in our core and redistributing into EIGRP.
Any idea how I can easily/best accomplish this? Should I be looking at Route maps, PBR, or something else? Ideas are much appreciated!
Re: Routing seperate VLANs to seperate firewalls / ISPs
From your description I believe that the solution that will work best for you is PBR (which uses route maps). PBR gives you the ability to make routing decisions based on source address and allows you to set the next hop or the default next hop which should accomplish what you need. It would also make it relatively easy to add most VLANs as your testing progresses. And ultimately it will allow you to change your normal default route to point to the new ISP and also send email and guest VLAN to the old ISP.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...