topic Re: Multiple networks for outside connection in Network Security

Multiple networks for outside connection

David Lin — Mon, 11 Mar 2019 16:35:28 GMT

I'd like to configure 2 networks for outside connection so that I can assign diffirent IP's to the inside hosts.

The interface configuration is as following,

interface Ethernet0/0

no nameif

no security-level

no ip address

interface Ethernet0/0.1

vlan 10

nameif outside1

security-level 0

ip address x.x.x.2 255.255.255.192

interface Ethernet0/0.2

vlan 20

nameif outside2

security-level 0

ip address y.y.y.2 255.255.255.224

interface Ethernet0/2

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

When I added either

route outside1 0.0.0.0 0.0.0.0 x.x.x.1 1

route outside1 0.0.0.0 0.0.0.0 y.y.y.1 1

x.x.x.2 on outside1 is reachable from Internet but y.y.y.2 on outside2 is not.

I tried to add

route outside2 0.0.0.0 0.0.0.0 y.y.y.1 1

But ASA doesn't allow me to do it---

ERROR: Cannot add route entry, conflict with existing routes

Can anyone kindly advise how to achieve it? TIA.

Re: Multiple networks for outside connection

mkharban — Tue, 03 Nov 2009 18:31:36 GMT

Hi,

We have two ways of doing it. Below given are both the methods:

Terminating two ISPs on ASA/PIX-

ISP1------------------Internet

1.1.1.2 |

| |

1.1.1.1 |

PIX/ASA|2.2.2.1----2.2.2.2|ISP2

3.3.3.1

Internal Network

Lets say we has above setup, with ISP1 being the Primary ISP

and ISP2 being the Secondary ISP.

I'm assuming that you all know how ISP failback is configured and

how it functions. To summarize, in ISP failback all traffic goes out

using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.

Scenario I

==========

Now, we do not want to configure ISP failback, but we needs

to route Web (port 80,443) traffic via ISP2 and all other traffic

via ISP1. This requires PBR, which is not supported on ASA/PIX, but

we can configure a workaround on ASA/PIX to make it work.

Following are the commands which will achieve it-

route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

Thats it !! Now all the traffic destined to any address on port 80/443

will be forcibly put on ISP2 interface and routed from there.

Note: This stuff requires that we KNOW what the destination ports are,

if there is some traffic which uses dynamic ports, like voice traffic

we will have to route it via ISP1 and cannot make it route via ISP2.

Scenario II

===========

In the same setup, if we say that we wants half traffic to go

via ISP1 and half traffic via ISP2, first we need to understand

that ASA is NOT a load-balancer or packet-shaper. Hence we cannot

*truly* achieve this, but we may configure ASA in such a manner that

traffic for some destination IP address is routed via ISP1 and some

is routed via ISP2. Following would be configuration commands in this

scenario-

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

The first creates a default route that routes addresses with the first

bit of 1 to 1.1.1.2 of ISP1.

The second creates a default route that routes addresses with the first

bit of 0 to 2.2.2.2 of ISP2.

Note: This will do traffic routing based on *Destination* IP addresses and

NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.

Hope this helps!

Re: Multiple networks for outside connection

David Lin — Tue, 03 Nov 2009 21:48:59 GMT

Thank you for your so detail explaination!

I tested method I and it worked fine. But some applications request dynamic detination port in both two networks, so I can use this way.

Regarding to the second solution, can both 2 networks be fully reachable from Internet if I sperate the route?

Thank you so much.

Re: Multiple networks for outside connection

mkharban — Tue, 03 Nov 2009 21:51:51 GMT

Yes,

Both the networks will be reachable from the internet if the routes are separated.

Hope this helps!

Re: Multiple networks for outside connection

David Lin — Wed, 04 Nov 2009 18:57:54 GMT

But I'm having difficulty to ping ISP2 from ISP1 network or vice versa.

I tried to ping them from ISP3, it's same.

interface Ethernet0/0

no nameif

security-level 0

no ip address

interface Ethernet0/0.1

vlan 10

nameif ISP1

security-level 0

ip address 1.1.1.2 255.255.255.0

interface Ethernet0/0.2

vlan 20

nameif ISP2

security-level 0

ip address 2.2.2.2 255.255.255.0

interface Ethernet0/2

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

route ISP1 0.0.0.0 0.0.0.0 1.1.1.1 1

route ISP2 128.0.0.0 255.0.0.0 1.1.1.2 1