Policy based routing in ASA 9.4+ Dual WAN link

Steve Coady — Tue, 12 Mar 2019 07:57:11 GMT

Hello

I am using a Cisco ASA 5515x on 9.4(3) code

Problem:

I have a private wireless network 192.168.0.x/20. I do not want to split this large subnet as I always have at least 700 clients connected to this network at any one time (24/7) and do not want to take it down.

Currently I have (1) 100M-up/20M-down WAN link for Internet traffic only. I am rate-limiting per user bandwidth amount to 1M.

I have a second WAN 100M-up/20M-down WAN link that I want to utilize for internet access. I already have these links and do not want to spend any more money to upgrade one of them to larger link.

Both of these links are from the same carrier. They were originally purchased at different times for different users within same organization.

These WAN links will connect to my ASA5515x.

I think PBR may provide solution.

I want to employ PBR and use both links for the Internet connection.

I want the PBR to divide traffic between both WAN links.

I think by using an extended acl and specifying destination networks, I can utilize both links.

If one of the WAN links is down, all traffic will use the other link. I want to make sure after down links comes back up, it will resume as primary for the specified range.

I want an SLA to monitor the WAN gateway(s) in order to trigger the failover.

I want to specify that destinations 1.x.x.x – 9.x.x.x use WAN link 1 as primary

access-list acl_1 extended permit ip any 1.0.0.0 9.255.255.255

I want to specify that destinations 11.x.x.x – 126.x.x.x use WAN link 1 as primary

access-list acl_1 extended permit ip any 11.0.0.0 115.255.255.255

I want to specify that destinations 129.x.x.x – 169.x.x.x use WAN link 2 as primary

access-list acl_2 extended permit ip any 129.0.0.0 30 .255.255.255

I want to specify that destinations 172.32.x.x – 191.x.x.x use WAN link 2 as primary

access-list acl_2 extended permit ip any 172.32.0.0 19.255.255.255

I want to specify that destinations 192.0.3.x – 192.88.98.255 use WAN link 2 as primary

access-list acl_2 extended permit ip any 192.0.3.x – 0.88.96.255

I want to specify that destinations 192.88.100.x – 192.167.255.255 use WAN link 2 as primary

access-list acl_2 extended permit ip any 192.88.100.0 79.255.255.255

I want to specify that destinations 192.169.x.x – 198.17.255.255 use WAN link 2 as primary

I want to specify that destinations 192.198.20.x – 223.255.255.255 use WAN link 2 as primary

interface GigabitEthernet0/0

(config-if)# policy-route route-map GuestNet

interface GigabitEthernet0/1

nameif Outside-2

security-level 0

ip address 173.a.b.c 255.255.255.252

interface GigabitEthernet0/4

nameif Outside-2

security-level 0

ip address 173.d.e.f 255.255.255.252

route-map GuestNet permit 10

(config-route-map)#match ip address acl_1

(config-route-map)#set ip next-hop 173.a.b.c

or set ip next-hop verify-availability 173.a.b.c 1 track 1

set ip next-hop verify-availability 173.d.e.f 2 track 2

route-map GuestNet permit 20

(config-route-map)#match ip address acl_2

(config-route-map)#set ip next-hop 173.d.e.f

or set ip next-hop verify-availability 173.d.e.f 1 track 1

set ip next-hop verify-availability 173.a.b.c 2 track 2

route-map GuestNet permit 30

(config-route-map)#set ip interface Null0

Please review the config and advise if this is a good working solution. Please also advise on any improvements needed.

Were you able to use PBR? If

DSMCisco2010 — Wed, 12 Apr 2017 12:43:38 GMT

Were you able to use PBR? If so which statement worked for you?

Did the null0 statement work

DavidMeyer321 — Wed, 12 Apr 2017 12:47:36 GMT

Did the null0 statement work for you?

Dave

Steve Coady — Wed, 12 Apr 2017 13:49:33 GMT

Dave

Thank you for the response. This scenario above has not been implemented as yet.

DSM

Steve Coady — Wed, 12 Apr 2017 13:49:57 GMT

DSM

Thank you for the response. This scenario above has not been implemented as yet.

topic Were you able to use PBR? If in Network Security

Policy based routing in ASA 9.4+ Dual WAN link

Were you able to use PBR? If

Did the null0 statement work

Dave

DSM