I'm looking for some guidance as to how I should configure my network for policy based routing using 2 ISP's. I recently bought a 1941 router to sit between my ASA and the 2 ISP routers (one ISP being the old and the other being the new). One of my main questions is how my vlan's should be setup. Currently, I have a vlan for hosts on my internal network, let's call it vlan1, a security vlan, which is basically the internal address of my ASA, let's call that vlan2, and an outside vlan for the interface on the ASA configured for the current isp, let's call that vlan3 (I also have a voice vlan for my phone system but i don't think i need to worry about that right now). My main question is, should the internal interface on the 1941 router be on the same vlan as vlan2 or should I create a new vlan for the new router? I would like to keep my ASA config the same but I'm wondering if I will need to make changes on the ASA based on how the traffic will be routed now. I believe I have the steps figured out to setup the PBR, but I'm just a bit unsure on how to handle the rest of the topology config. Any additional guidance would be appreciated. I can put together a Visio document to help simplify my network topology if this doesn't make sense. Thanks!
There are some things that you have not told us yet that would influence the advice that we would give you. Do you want to treat one ISP as primary and it carries the traffic and the other ISP is just backup in case the primary fails? Do you want to treat both ISPs as equal and load balance? Do you want both ISPs active and certain traffic goes over one and other kinds of traffic go over the other?
But part of your question seems fairly clear already. If VLAN 3 is currently the VLAN for the outside interface of your firewall then I believe that your router should be connected on VLAN 3. The firewall is already sending traffic toward the Internet using that interface and I think that you should not try to change that logic.
Sorry for the lack of info on that part. The original ISP will be only used for VPN and email traffic, and the new ISP will be handling all other traffic. This is what i will be defining in the PBR. So are far as the ASA goes, i believe that config will stay the same, and the 1941 router will be routing all other traffic to the new ISP.
I'm going to step back to my original question because i made a mistake in how i explained my vlans.
In the previous post, I was trying to figure out if vlan2 should contain the internal interface of the asa (which it already does) and also the internal interface of the router.
After looking back at vlan3 (external security vlan), i think i need to leave that unchanged for ISP1 and create another external security vlan for ISP2, lets call that vlan4. Both vlans would obviously containing external WAN address. Does this make sense?
I can throw a visio diagram together if my explanation lacks clarity.
Thanks for the help.
In your original post you said:"router to sit between my ASA and the 2 ISP routers" so I assumed that it would be ASA connected to new router, and new router connected to both ISPs. Now you seem to be saying that the ASA will still connect to ISP1 for VPN.
I am confused. And in this state can not provide much useful advice.
Sorry for the confusion. I see what you're talking about now. I had to draw it out to make sense of it myself, and i realize i had it wrong. I have attached 2 visio files; one of the current topology and one of the anticipated topology. The anticipated topology file might have some wrong info but it represents how i believe how the physically topology should be laid out, but please correct me if it's wrong.
Where i believe i need to make changes is that outside asa interface (vlan3) should be changed to a LAN address, which would be on the same vlan as the inside interface of the 1941 router. Then use the old outside asa interface address as the address for the outside interface1 on the 1941 router. If that is correct, would this require me to change the any of the routing on the ASA?
Given what info i do have (correct or not), can you tell me how i should proceed from here? Please advise. Thank you.
Having the diagram is helpful. I agree that it is logical to change the address on the outside interface of the ASA to be a private/LAN address and to use the existing "public" address that was on the ASA to be on one of the interfaces of the new router. Doing that will certainly change the routing of the ASA. Now the routing of the ASA has a next hop of the ISP router and when you make the changes the next hop will be the address of the inside interface of the new router.
There is at least one other change and it is significant. I am assuming that the ASA has been doing address translation from the "private" 192.168.25.0/24 to the public address. When you move the address from the ASA then the ASA can no longer do the address translation. The translation function will move to the new router. And it will be somewhat more complicated on the router than it was on the ASA. I assume that the ASA translated everything to the single IP address of the ISP connection. With the new router and the second ISP there will need to be one set of translations for ISP1 and another set of translations for ISP2.
As Richard mentioned that, the NAT function will be removed from ASA and all you have on ASA will be a default route pointing towards the new router which has to the 2 ISP interfaces. So now you need 2 NATs on the new router which shoudn't be very much difficult.
try this--> ip nat inside source route-map one interface ISP1
ip nat inside source route-map two interface ISP2
here, route-map one and two are your PBR which will dictate which type of traffic uses which ISP to go out to internet. The same applies for ISP2.
All you need to take care is that everything for the internet must end up at the new router. A default route on the ASA to the new router should serve this function well.
Let me know if this serves your purposes.
Thanks for the information guys. I think I'm going down the right path now but i have a few more questions, although they probably won't be the last.
First question. Since I want to keep this simple and not have to change any of the VPN client profiles for my users, should I make the "outside Int1" on the 1941 the same ip as the outside interface on the ASA (provided that I put the ASA outside interface on a new vlan)? I can't imagine any problem there doing that when I do get the NAT setup properly.
Second question. Although my Visio diagram doesn't display it this way, the ISP1 router and ASA terminate on the 3750 server room switch(which is the device that has the Vlans configured). Since i have a vlan for ISP1, I'm suspecting i will need a separate vlan for ISP2, is that correct? Or, i guess i could connect the ISP2 router directly to Outside Int2 on the 1941 since it 's the only device it will be communicating with. That being said, do i really need to setup a vlan for ISP2? Is there any advantage to having\not having a vlan for the outside interface?
As always any input is appreciated!
to keep things simple, in the current topo diagram connect your new ISP to the same ISP router and avoid having many routers. Keeping things simple will make your life easier in terms of troubleshooting. If you are concerned with device redundancy then there are other point in you topology which needs attention and not just ISP routers.
Answer to your question 1: You need to share your configs.
Answer to question 2: why do u have vlan for ISP 1. what purpose does it serves. Cant you have a L3 interface? Having a separate vlan for 2nd ISP would be better since not very far away you will again have a requirement of load balancing and redundancy among the 2 ISP conections.