topic Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map) in Network Security

How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

Quintin.Mayo — Fri, 21 Feb 2020 15:15:49 GMT

We had some routing issues and during our troubleshooting, we found that our wireless guest network is routing over our primary outbound interface. We have a backup outbound interface configured on the ASA, there are two outbound interfaces. We would like to change the routing for the wireless guest network to go out our second outbound interface on the ASA. I believe using a route map should accomplish this? I am new to using route map and would like some direction on the configuration. I have wrote, what I think would do the routing to the second outbound interface below. Any assistance would be greatly appreciated.

Configuration template

(Config#) route-map guest_network permit 10
(Config-route-map#) match IP address guest_network
(Config-route-map#) set interface Outside-2
(Config-if) set ip next-hop x.x.x.x

access-list guest_network extended permit IP x.x.x.0 255.255.255.0 any
access-list guest_network extended permit IP any any

Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

Bogdan Nita — Thu, 01 Feb 2018 15:11:18 GMT

Couple of things you are missing:

- if you put permit ip any any in your acl all the traffic will be using that route map, if you have a guest wireless interface dedicated that should not be a problem

- set ip next-hop should be in the route-map

- you have to apply the route map to the inside wireless interface (in my example G0/0)

ciscoasa(config)# access-list guest_network_acl extended permit ip x.x.x.0 255.255.255.0 any
ciscoasa(config)# route-map guest_network permit 10
ciscoasa(config-route-map)# match ip address guest_network_acl
ciscoasa(config-route-map)# set interface Outside-2
ciscoasa(config-route-map)# set ip next-hop x.x.x.x
ciscoasa(config-route-map)# exit
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# policy-route route-map guest_network

HTH

Bogdan

Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

Quintin.Mayo — Mon, 05 Feb 2018 16:14:36 GMT

I configured the route map without any success, it actually stopped the guest networking from routing and had to back out the changes. I have appended everything in the running config for the guest network, hopefully you can identify why the routing didn't forward the guest network traffic out the secondary interface (OUTSIDE-2). I did find the guest network utilizing dynamic nat, I changed the statement to the outside-2 interface still no success. Any suggestions will help greatly.

Configuration on FW for guest network

object network Company-Guest
subnet 10.253.30.0 255.255.255.0

access-list ACL-OUTSIDE-IN extended permit ip any 10.x.x.0 255.255.255.0

access-list ACL-GUEST-IN extended deny ip any 10.x.x.0 255.255.255.0

interface GigabitEthernet0/5.30
vlan 30
nameif Company-Guest
security-level 10
ip address 10.x.x.1 255.255.255.0

mtu Company-Guest 1500

object network Company-Guest
nat (Company-Guest,OUTSIDE-1) dynamic interface

dhcpd address 10.x.x.2-10.x.x.254 Company-Guest

dhcpd dns 8.8.8.8 interface Company-Guest

dhcpd enable Company-Guest

object network obj_any
nat (INSIDE,OUTSIDE-1) dynamic interface

interface GigabitEthernet0/1
description OUTSIDE COMCAST ISP INTERNET
speed 1000
duplex full
nameif OUTSIDE-2
security-level 0
ip address 50.x.x.29 255.255.255.240 standby 50.x.x.28

route OUTSIDE-2 0.0.0.0 0.0.0.0 50.x.x.30 254

mtu OUTSIDE-2 1500
icmp permit any echo OUTSIDE-2
icmp permit any echo-reply OUTSIDE-2

Configuration changes that didn't work to route the traffic out the OUTSIDE-2 interface

(Config#) route-map Company_Guest permit 10
(Config-route-map#) match IP address Company_Guest
(Config-route-map#) set ip next-hop 50.x.x.30
(Config)# interaface gi0/5.30 (Dedicated guest interaface)
(Config-if) policy-route route-map Company_Guest

access-list Company_Guest extended permit IP 10.x.x.0 255.255.255.0 any

object network Company_Guest
nat (Company_Guest, OUTSIDE-2) dynamic interaface

Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

salman abid — Tue, 06 Feb 2018 07:24:00 GMT

Hi Quintin,

I'm more concerned to know software version of your ASA because PBR is supported on cisco ASA with 9.4.1 and later. Refer the link for software limitation https://blog.webernetz.net/policy-based-routing-on-a-cisco-asa/

As long as you have min required software version then here is my input on your query.

- Since ASA is gateway of your guest network then there is no doubt that traffic for internet is reaching to the ASA.

- As you mentioned that you have 2 internet facing interfaces on your ASA and wanted to route only guest LAN traffic through OUTSIDE-2 interface.

- Looking into your configuration i can assume that you have 4 interfaces configured on you ASA

1- LAN interface for all except guest interface (INSIDE)

2- LAN interface of guest LAN (Vlan30, Company-Guest)

3- OUTSIDE interface for general traffic (OUTSIDE-1)

4- OUTSIDE interface for guest internet ( OUTSIDE-2 )

So first thing first, you should have ONLY a default route on your ASA for traffic coming from INSIDE and going through OUTSIDE-1

Below route is not needed

route OUTSIDE-2 0.0.0.0 0.0.0.0 50.x.x.30 254

Then NAT for INSIDE to OUTSIDE

object network obj_any

subnet 0.0.0.0 0.0.0.0
nat (INSIDE,OUTSIDE-1) dynamic interface

Assuming that you have correct ACL configured for INSIDE interface. But still you can share '' show run access-group'' here with me to review.

Till this point internet traffic from INSIDE to OUTSIDE should work without any issue.

Now let's focus on your Guest requirement.

you don't need these ACLs

access-list ACL-OUTSIDE-IN extended permit ip any 10.x.x.0 255.255.255.0
access-list ACL-GUEST-IN extended deny ip any 10.x.x.0 255.255.255.0

Your interface configuration for ''Company-Guest'' and ''OUTSIDE-2'' is OK.

NAT for Guest

object network Company-Guest

Subnet 10.x.x.0 255.255.255.0 <-- subnet of guest vlan
nat (Company-Guest,OUTSIDE-1) dynamic interface

Access-list for PBR

access-list GUEST-INTERNET ext permit ip 10.x.x.0 255.255.255.0

Your need PBR

route-map guest_internet permit 10
match ip address GUEST-INTERNET
set ip next-hop 50.x.x.30
exit

Then apply the PBR on Guest interface

interface GigabitEthernet0/5.30
policy-route route-map guest_network

I hope this will fix the issue you're facing and everything will work as per requirement.

Please remember to select a correct answer and rate helpful posts

Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

salman abid — Tue, 06 Feb 2018 07:29:53 GMT

Hi Quintin,

I'm more concerned to know software version of your ASA because PBR is supported on cisco ASA with 9.4.1 and later.

As long as you have min required software version then here is my input on your query.

- Since ASA is gateway of your guest network then there is no doubt that traffic for internet is reaching to the ASA.

- As you mentioned that you have 2 internet facing interfaces on your ASA and wanted to route only guest LAN traffic through OUTSIDE-2 interface.

- Looking into your configuration i can assume that you have 4 interfaces configured on you ASA

1- LAN interface for all except guest interface (INSIDE)

2- LAN interface of guest LAN (Vlan30, Company-Guest)

3- OUTSIDE interface for general traffic (OUTSIDE-1)

4- OUTSIDE interface for guest internet ( OUTSIDE-2 )

So first thing first, you should have ONLY a default route on your ASA for traffic coming from INSIDE and going through OUTSIDE-1

Below route is not needed

route OUTSIDE-2 0.0.0.0 0.0.0.0 50.x.x.30 254

Then NAT for INSIDE to OUTSIDE

object network obj_any

subnet 0.0.0.0 0.0.0.0
nat (INSIDE,OUTSIDE-1) dynamic interface

Assuming that you have correct ACL configured for INSIDE interface. But still you can share '' show run access-group'' here with me to review.

Till this point internet traffic from INSIDE to OUTSIDE should work without any issue.

Now let's focus on your Guest requirement.

you don't need these ACLs

access-list ACL-OUTSIDE-IN extended permit ip any 10.x.x.0 255.255.255.0
access-list ACL-GUEST-IN extended deny ip any 10.x.x.0 255.255.255.0

Your interface configuration for ''Company-Guest'' and ''OUTSIDE-2'' is OK.

NAT for Guest

object network Company-Guest

Subnet 10.x.x.0 255.255.255.0 <-- subnet of guest vlan
nat (Company-Guest,OUTSIDE-1) dynamic interface

Access-list for PBR

access-list GUEST-INTERNET ext permit ip 10.x.x.0 255.255.255.0

Your need PBR

route-map guest_internet permit 10
match ip address GUEST-INTERNET
set ip next-hop 50.x.x.30
exit

Then apply the PBR on Guest interface

interface GigabitEthernet0/5.30
policy-route route-map guest_network

I hope this will fix the issue you're facing and everything will work as per requirement.

Please remember to select a correct answer and rate helpful posts

Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

Quintin.Mayo — Tue, 06 Feb 2018 13:28:50 GMT

Final draft of configuration and thank you very much for your time!

NAT For Guest Network
object network Company-Guest
subnet 10.x.x.0 255.255.255.0
nat (Company-Guest, OUTSIDE-2) dynamic interface

PBR For Guest Network
(Config#) route-map Company-Guest permit 10
(Config-route-map#) match IP address Company-Guest-ACL
(Config-route-map#) set ip next-hop 50.x.x.x

Apply PBR To Guest Interface
(Config)# interaface gi0/5.30 (Dedicated guest interaface)
(Config-if) policy-route policy route-map Company-Guest

Access-list For PBR
access-list Company-Guest-ACL extended permit IP 10.x.x.0 255.255.255.0 any
access-group Company-Guest-ACL out interface OUTSIDE-2

Test at this point
-----------------------------------------------------------------------------------------------------

STATIC NAT For New Host (Please review)

(config#)object network webex
(config-network-object)# host 10.x.x.x
(config-network-object)# nat (inside,outside) static 40.x.x.x

access-list OutsideToInside permit IP any host 10.x.x.x
access-group OutsideToInside in interaface OUTSIDE-1

done.................

Re: How To Route Traffic From Guest Network To Second Outbound Interface On ASA Routing Using (Route Map)

salman abid — Wed, 07 Feb 2018 12:15:17 GMT

Your final drapt is OK and you don't need this command ''access-group Company-Guest-ACL out interface OUTSIDE-2''

As Company-Guest-ACL is already applied in your PBR and it is not needed to be applied anywhere else

Please remember to select a correct answer and rate helpful posts