Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Policy routing and failover using single ISR/ASA

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Policy routing and failover using single ISR/ASA

markgrigby wrote:

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

Mark

No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.

If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either

1) soley on the router for ISP2

OR

2) double natting on the ASA and the router

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Policy routing and failover using single ISR/ASA

markgrigby wrote:

Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.

What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.

My current thinking is:

Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.

  • Install new WIC into the 1841 and configure the ip address accordingly, in this example 2.2.2.1.
  • Leave existing default route pointing to S0/0/0.
  • Create a second Global Pool on the ASA which would PAT traffic from selected internal networks to a separate IP address other than the interface address, say 1.1.1.3. IE: Traffic from VLAN 200 (192.168.255.0/24)
  • Configure Policy based routing on 1841 to match all traffic from 1.1.1.3 and send it via s0/1/0 leaving the default route to take care of all other traffic.
  • Hopefully ending up with it looking like the diagram "Proposed.png"

Can anyone see a reason why this wouldn’t work?

Regards

Mark Rigby

Mark

No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.

If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either

1) soley on the router for ISP2

OR

2) double natting on the ASA and the router

Jon

New Member

Re: Policy routing and failover using single ISR/ASA

Ah of course, thank you John, the traffic would most likely be general purpose HTTP so i dont have a problem NATing it twice.


Regards

Mark Rigby

314
Views
0
Helpful
2
Replies