topic Hi in Network Security

outbound routing with two ISP links

andrewgori — Tue, 26 Mar 2019 00:59:48 GMT

I have two ISP outbound circuits connected to a 5520 ASA version 8.4(7). I can't figure out how to create a route based on source ip rather than destination IP. In a nutshell, I want to route WIFI and web conferencing via one interface and web servers via the other interface to split the traffic load. I can't do regular load balancing because were not an Autonomous System and the ISPs are different.

The logic needs to work something like this:

Source Destination Gateway

Vlan100 0.0.0.0 IPaddress for ISP1 <--------- Send Wifi trafic to ISP1

Vlan200 0.0.0.0 IPaddress for ISP1 <------------send web conference traffic to ISP1

0.0.0.0 0.0.0.0 IPaddress for ISP2 <--------- default gateway via ISP2

This looks like policy based routing to me, but I don't think I can upgrade the version on my ASA to 9.4. Is there I work around I could use? I'm trying to figure out how to do it with ACL's, but I'm coming up short on ideas. The only idea I have would be to connect a second firewall and switch to my Core switch and manage that traffic as if it was a remote office with a layer2 point to point connection. I'd rather not add the extra cost and complexity to the setup, if I can avoid it. Thanks for your help.

Hi

Francesco Molino — Thu, 09 Mar 2017 02:03:28 GMT

You're right you can't upgrade to latest version supporting pbr and what you want to achieve its pbr.

There is no way to achieve a source routing. You can do workaround to quite load balance the traffic between both ISPs.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi,

trdatta — Thu, 09 Mar 2017 18:28:47 GMT

Hi,

Please check the below link having scenarios of PBR supported on ASA if this meets your requirement.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

Regards

Tripat Kaur

Is it possible to load

andrewgori — Thu, 09 Mar 2017 21:48:21 GMT

Is it possible to load balance outbound traffic even when it is natted?

Looking at that, I think PBR

andrewgori — Thu, 09 Mar 2017 22:25:32 GMT

Looking at that, I think PBR would work using an ACL and policy specifying the next hop based on source address. The trouble is my ASA is a 5520 and will only run version 9.1x

Right now I need to work out a way to make this happen with the hardware we have on hand. I have a spare 5515 ASA and a 2960 switch that I could put into play. Right now I'm thinking of a scheme that would work like this:

1) trunk VLAN100 and VLAN200 from the core switch to a second ASA.

2) Connect second ASA to ISP1

3) Address the vlan interfaces on the second ASA and use those as the GW address for each VLAN.

4) set default route on second ASA to use ISP1

5) create static routes on the new ASA for all internal networks that would point to my core switch. This entail creating a couple dozen static routes.

6) create static routes on my core switch pointing to the new ASA for VLAN100 and VLAN200.

Do you think this would work?

Hi

Francesco Molino — Fri, 10 Mar 2017 02:14:44 GMT

Yes it should work. From your core switch, you can also use pbr to route to 1st asa or 2nd asa.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

You can load balance based on

Francesco Molino — Fri, 10 Mar 2017 02:19:18 GMT

You can load balance based on ports, for example http and https to 1 isp and the rest to other isp.

Or you can set 2 routes for example 128.0.0.0/1 to 1 isp and 0.0.0.0/1 to the other isp.

Does that answer your question

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question