cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

108
Views
5
Helpful
8
Replies
Beginner

ASA5506 vlan routing help

Hello,

 

 i need a little help to get my configuration working

I have 3 ISP's which all land on one switch

i have an asa5506x which needs to route each vlan to specific isp

 

so the configuration should look something like this:

external:

isp1 (gw address 10.10.10.1)

isp2 (gw address 10.10.10.2)

isp3 (gw address 10.10.10.3)

asa:

outside: 10.10.10.100

vlan 100 - ip range 192.168.100.0/24  - routed to isp1

vlan 200 - ip range 192.168.200.0/24  - routed to isp2

vlan 300 - ip range 192.168.300.0/24  - routed to isp3

 

currently all my tests result in all vlan's beeing routed to isp1

8 REPLIES
Beginner

Re: ASA5506 vlan routing help

if I understood correctly you need to use PBR. Route traffic based on your source route. Here is a sample configuration object network sub-vlan-100 subnet 192.168.100.0 255.255.255.0 object network sub-vlan-200 subnet 192.168.200.0 255.255.255.0 object network sub-vlan-300 subnet 192.168.300.0 255.255.255.0 ! ###### Assuming isp1 interface is named outside1, isp2 --> outside2, isp3 -->outside3 ! object network obj-isp1 nat (sub-vlan-100, outside) dynamic interface object network obj-isp2 nat (sub-vlan-200, outside) dynamic interface object network obj-isp3 nat (sub-vlan-300, outside) dynamic interface ! access-list out1 extended permit 192.168.100.0 255.255.255.0 any access-list out2 extended permit 192.168.200.0 255.255.255.0 any access-list out3 extended permit 192.168.300.0 255.255.255.0 any ! route-map pbr-map permit 10 match ip address out1 set ip next-hop 10.10.10.1 route-map pbr-map permit 20 match ip address out2 set ip next-hop 10.10.10.1 route-map pbr-map permit 30 match ip address out3 set ip next-hop 10.10.10.3 ! interface policy-route route-map pbr-map ! route outside 0 0 10.10.10.1 1 route outside 0 0 10.10.10.2 2 route outside 0 0 10.10.10.3 3 !
Beginner

Re: ASA5506 vlan routing help

Hello,

 

in asa i currently have only one outside interface and it is called "outside" which is connected to a "dumb" switch.

the switch is connected to three different isp's.

Highlighted
VIP Engager

Re: ASA5506 vlan routing help

Look at  below example guide, adding to other post.

 

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

 

Also consider using IP SLA, if any of the link fails route to different ISP, if not the traffic will be black-holed.

 

BB
*** Rate All Helpful Responses ***
Hall of Fame Master

Re: ASA5506 vlan routing help

I am puzzled about what the original poster describes "have only one outside interface and it is called "outside" which is connected to a "dumb" switch. the switch is connected to three different isp's"

If there are 3 different ISPs I would certainly assume that each ISP has its own unique public IP. I do not see any way for ASA5506 to be able to talk to 3 different public IP connected to outside interface. If this were IOS and we could use secondary address then it could work. But that is not supported on ASA. I do not see any way to get 3 different ISP connected to dumb switch connected to one ASA interface.

 

HTH

 

Rick

 

 

Beginner

Re: ASA5506 vlan routing help

i will try to explain a little bit more:

there is a router that first accepts all connections from isp's and the creates an internal network with different ip representing each isp. These ip's are used by many "secondary" routers (like this asa). Please have a look at my great paint drawing attached to this post.

Hall of Fame Master

Re: ASA5506 vlan routing help

Thank you for the explanation. This is an unusual environment but now we have a better understanding of it. Based on what we know now I do agree that the solution that you need is to configure Policy Based Routing on the ASA. In the route map for PBR you could match to subnet 1 and set ip next-hop as address of ISP 1, match to subnet 2 and set ip next-hop as address of ISP 2, and match on subnet 3 and set ip next-hop as address of ISP 3. 

 

HTH

 

Rick

Beginner

Re: ASA5506 vlan routing help

Thank you for your reply - i managed to get this far already yesterday and it seems to be working. Now the problem is that when i have set dhcp server for interface it stops working.

Hall of Fame Master

Re: ASA5506 vlan routing help

Glad you got it to the point where it seems to be working. I am not clear how setting dhcp server would impact  PBR unless the DHCP server is changing addresses so that they do not match the acl for PBR. Perhaps you could supply some detail about what you are trying to do?

 

HTH

 

Rick

CreatePlease to create content
Blog-Cisco Community Designated VIP Dinner CLEUR2019