topic Possible? in Network Security

Possible?

Federico Coto Fajardo — Mon, 11 Mar 2019 21:36:32 GMT

Hi Team!

Here's the scenario:

Bunch of networks -- ASA -- ISP1

-- ISP2

The deal is that the customer wants one of the networks 172.16.x.0/24 to use ISP2 as its main exit, while keeping all other networks using ISP1.

We know there's no PBR functionality on ASA, and also there are some workarounds with NAT, but this is the problem that I'm having:

Current config for ISP1 for all networks:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

route outside 0 0 x.x.x.x 1

Works perfectly fine.

I add the following to try to make 172.16.x.0/24 to use ISP2.

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 1 --> as soon as I enter this command the ASA complains, it won't allow it... fine, so I did as per this document:

https://supportforums.cisco.com/docs/DOC-15622

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

But that drops the Internet connection.

Funny thing is that if I do the following:

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 2

Then, the inside host can't get to the Internet... seems to me that having an AD of ''2'' on the default route the ASA won't use it since it has a better route pointing to the original ISP1.

So, can this be done?

Thanks!

Federico.

Possible?

varrao — Tue, 11 Oct 2011 16:25:22 GMT

Hi Fed,

Lets say the DG for ISP 1 line is 1.1.1.1 and for ISP 2 is 2.2.2.2,

Add teh nat statements in the same order as below:

nat (inside) 2 172.16.x.0 255.255.0.0

nat (inside) 1 0 0

global (outside_new) 2 interface

global (outside) 1 interface

route outside 0 0 1.1.1.1 1

route outside_new 0 0 2.2.2.2 2

But I would never suggest this, since ASA is not a load-balancer, it should not be done on it.

Best is to connect a router in front of your ASA, terminate the ISP on it and do PBR on the router.

Varun

Re: Possible?

Jon Marshall — Tue, 11 Oct 2011 16:33:28 GMT

Varun

How does this work ?

For a start i thought the ASA did not support multiple default-routes pointing out of different interfaces.

And even if it did how does the NAT setup for 172.16.x.0 "tie" it to the outside_new interface ? Because doesn't the routing define which interface is used for NAT ie. assuming you could have 2 default-routes to different interfaces -

172.16.5.1 comes in on the inside wirth destination any address. How does the ASA know to use the default-route pointing to 2.2.2.2 ?

Are yoy saying the default-route via 1.1.1.1 is rejected because there is no global (outside) 2 corresponding config ?

Jon

Possible?

varrao — Tue, 11 Oct 2011 16:40:50 GMT

Ooops I must have mixed it up, what I wanted to was:

route outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

I mixed it up But my advise still remains, its just a workaround and not a tested thing, even I have never tested it, so the result might differ, from setup to setup and router shoudl only be used for tyhis purpose.

Glad you pointed it out, nothing beats your eye

Re: Possible?

Jon Marshall — Tue, 11 Oct 2011 16:52:36 GMT

Varun

No problem and believe me i mix things up quite often myself

To be honest i am posting for my own clarification on this as much as anything else. And its the NAT config i am intrigued by.

With your config when a packet comes in on the inside interface from 172.16.5.1 with a destination of 15.15.15.1 the routing table is looked up and the routes chosen is via the outside interface ie. next-hop 1.1.1.1. But there is no corresponding global ie.

nat (inside) 2 172.16.x.0 255.255.0.0

but there is no global (outside) 2 statement so i would have thought the ASA would simply drop the packet because it cannot NAT it.

If the destination was for 130.15.15.1 for example then yes it would work.

Just want to be sure i am not misunderstanding how the nat/global routing interactions wortk.

Edit - will Cisco ever support PBR for the ASA, seems like these sort of questions come up all the time

Jon

Possible?

Federico Coto Fajardo — Tue, 11 Oct 2011 16:58:10 GMT

Hi Jon and Varun!

Thank you both 🙂

I have the same exact doubt as Jon.

This config won't work:

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 2

Because (i think) the fact of a better route in the routing table (AD of 1)

The ASA won't let me allow this:

route new_outside 0 0 y.y.y.y 1 --> complains about the route

Federico.

Possible?

Jon Marshall — Tue, 11 Oct 2011 17:04:25 GMT

Hi Federico

No that definitely won't work. You cannot have multiple default-routes pointing out of different interfaces on the ASA. You can have multiple default-routes pointing out of the same interface but that wouldn't help in your situation.

I agree with Varun that the ASA really isn't designed to be a load-balancer and as it doesn't support PBR you really are going to struggle doing this. What you need is PBR on a router(s) that are outside of the ASA but if your ISP controls those routers there is not a lot you can do.

Jon

Possible?

varrao — Tue, 11 Oct 2011 17:07:29 GMT

Yes thats correct what Jon pointed out and I think your situation is different to whats mentioned in the doc, the doc is if half of the network needs to be sent through ISP1 and the other half from ISP2:

route outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

Have a look at the network and subnet masks being used.

I don't think so it shoudl work the way we are trying to, since I ahev also never tested it. The only thing that I have tested is if your 172.16.x.0 is connected behind another interface rqather than inside, lets say inside_2, then this can be accomplished:

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

In teh config above, we are using the static command to route the traffic through new_outside.

Varun

Possible?

Federico Coto Fajardo — Tue, 11 Oct 2011 17:17:33 GMT

Hi,

I agree with you both, and I really don't like the situation 😉

But I'm wondering why the following won't work:

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

I agree the ASA is not supposed to do this, but just wondering why it does not work like the logic says.

I thought with the above (don't have two default gateways out two different interfaces), just have two routes via ISP2 sending ''all'' traffic out. With the proper NAT configuration?

Thank you guys again for all your input 🙂

Possible?

Jon Marshall — Tue, 11 Oct 2011 17:45:09 GMT

Federico

The problem is that even if you could do this ie. i assume you mean

route outside 0.0.0.0 0.0.0.0 x.x.x.x

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y

and i'm not sure it would allow you but lets say you could. The default-route via outside would never be used because the 2 routes via new_outside are more specific and the more specific routes are always chosen so all traffic would then go via outside2.

If instead you had -

route outside 0.0.0.0 128.0.0.0 x.x.x.x

route outside_new 128.0.0.0 128.0.0.0 y.y.y.y

then this would split traffic down the links but still based on destination not source ie. all destinations from 1.x.x.x -> 126.x.x.x would be sent via the outside interface and destinations from 128.x.x.x upwards would be sent to outside_new.

There is no way to specify which route to used based on source IP on the ASA.

Jon

Possible?

varrao — Tue, 11 Oct 2011 17:57:43 GMT

Thats right as Jon said.

The doc is for splitting the traffic going to the internet based on destination ip, so your requirement doesn't fall into it. Source based routing is not an option on ASA, so that makes it more difficult for you.

Varun

Possible?

Federico Coto Fajardo — Tue, 11 Oct 2011 18:09:54 GMT

I am more clear now 🙂

So, besides being an awful solution with the ASA as we all know, it is not even possible correct?

Just to confirm since ''not supported'' does not neccessarily means ''can't possibly do it''!

Thank you,

Federico.

Re: Possible?

Jon Marshall — Tue, 11 Oct 2011 18:14:19 GMT

Federico

Assuming we are talking about the original issue, ie. 172.16.x.x via outside_2, as far as i can see it's just not possible to do on an ASA rather than simply being unsupported.

Jon

Possible?

varrao — Tue, 11 Oct 2011 18:20:14 GMT

Yes, this is not possible on ASA, I have never been able to do it, until anyone can come up with any magic solution to it , I would definitely put it in unsupported configuration only.

Thanks,

Varun

Possible?

Federico Coto Fajardo — Tue, 11 Oct 2011 18:52:02 GMT

Thank you both guys!

Cheers!

Federico.

Possible?

varrao — Tue, 11 Oct 2011 18:54:57 GMT

Cheers Fed and cheers to you as well Jon, it was a useful discussion.

Varun

Possible?

Jon Marshall — Tue, 11 Oct 2011 18:58:43 GMT

Agreed, it cleared a few things up for me as well.

Jon

Re: Possible?

Jon Marshall — Tue, 11 Oct 2011 19:08:05 GMT

edited for spacing

Re: Possible?

Jon Marshall — Tue, 11 Oct 2011 19:09:19 GMT

Federico / Varun

A thought just occured. Varun wrote -

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

I have never done this so i may be misunderstanding but Varun seems to be suggesting with this config all traffic from inside2 would be routed out of new_outside. If this is the case then either -

1) do you have a spare interface you could route the 172.16.x.x addresses to on the inside

2) if you don't could you use subinterfaces on the inside interface and route just the 172.16.x.x to one of the subinterfaces and the rest of the traffic to the other

Varun, if i have misunderstood what that config does please let me know.

Jon

Possible?

Federico Coto Fajardo — Tue, 11 Oct 2011 19:11:02 GMT

It will be a matter of just having another ''inside'' interface (subinterface)?

Federico.