cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


163
Views
5
Helpful
10
Replies
Beginner

ASA5506 vlan routing help

Hello,

 

 i need a little help to get my configuration working

I have 3 ISP's which all land on one switch

i have an asa5506x which needs to route each vlan to specific isp

 

so the configuration should look something like this:

external:

isp1 (gw address 10.10.10.1)

isp2 (gw address 10.10.10.2)

isp3 (gw address 10.10.10.3)

asa:

outside: 10.10.10.100

vlan 100 - ip range 192.168.100.0/24  - routed to isp1

vlan 200 - ip range 192.168.200.0/24  - routed to isp2

vlan 300 - ip range 192.168.300.0/24  - routed to isp3

 

currently all my tests result in all vlan's beeing routed to isp1

10 REPLIES 10
Beginner

Re: ASA5506 vlan routing help

if I understood correctly you need to use PBR. Route traffic based on your source route. Here is a sample configuration object network sub-vlan-100 subnet 192.168.100.0 255.255.255.0 object network sub-vlan-200 subnet 192.168.200.0 255.255.255.0 object network sub-vlan-300 subnet 192.168.300.0 255.255.255.0 ! ###### Assuming isp1 interface is named outside1, isp2 --> outside2, isp3 -->outside3 ! object network obj-isp1 nat (sub-vlan-100, outside) dynamic interface object network obj-isp2 nat (sub-vlan-200, outside) dynamic interface object network obj-isp3 nat (sub-vlan-300, outside) dynamic interface ! access-list out1 extended permit 192.168.100.0 255.255.255.0 any access-list out2 extended permit 192.168.200.0 255.255.255.0 any access-list out3 extended permit 192.168.300.0 255.255.255.0 any ! route-map pbr-map permit 10 match ip address out1 set ip next-hop 10.10.10.1 route-map pbr-map permit 20 match ip address out2 set ip next-hop 10.10.10.1 route-map pbr-map permit 30 match ip address out3 set ip next-hop 10.10.10.3 ! interface policy-route route-map pbr-map ! route outside 0 0 10.10.10.1 1 route outside 0 0 10.10.10.2 2 route outside 0 0 10.10.10.3 3 !
Beginner

Re: ASA5506 vlan routing help

Hello,

 

in asa i currently have only one outside interface and it is called "outside" which is connected to a "dumb" switch.

the switch is connected to three different isp's.

Highlighted
VIP Advocate

Re: ASA5506 vlan routing help

Look at  below example guide, adding to other post.

 

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

 

Also consider using IP SLA, if any of the link fails route to different ISP, if not the traffic will be black-holed.

 

BB
*** Rate All Helpful Responses ***
Hall of Fame Master

Re: ASA5506 vlan routing help

I am puzzled about what the original poster describes "have only one outside interface and it is called "outside" which is connected to a "dumb" switch. the switch is connected to three different isp's"

If there are 3 different ISPs I would certainly assume that each ISP has its own unique public IP. I do not see any way for ASA5506 to be able to talk to 3 different public IP connected to outside interface. If this were IOS and we could use secondary address then it could work. But that is not supported on ASA. I do not see any way to get 3 different ISP connected to dumb switch connected to one ASA interface.

 

HTH

 

Rick

 

 

Beginner

Re: ASA5506 vlan routing help

i will try to explain a little bit more:

there is a router that first accepts all connections from isp's and the creates an internal network with different ip representing each isp. These ip's are used by many "secondary" routers (like this asa). Please have a look at my great paint drawing attached to this post.

Hall of Fame Master

Re: ASA5506 vlan routing help

Thank you for the explanation. This is an unusual environment but now we have a better understanding of it. Based on what we know now I do agree that the solution that you need is to configure Policy Based Routing on the ASA. In the route map for PBR you could match to subnet 1 and set ip next-hop as address of ISP 1, match to subnet 2 and set ip next-hop as address of ISP 2, and match on subnet 3 and set ip next-hop as address of ISP 3. 

 

HTH

 

Rick

Beginner

Re: ASA5506 vlan routing help

Thank you for your reply - i managed to get this far already yesterday and it seems to be working. Now the problem is that when i have set dhcp server for interface it stops working.

Hall of Fame Master

Re: ASA5506 vlan routing help

Glad you got it to the point where it seems to be working. I am not clear how setting dhcp server would impact  PBR unless the DHCP server is changing addresses so that they do not match the acl for PBR. Perhaps you could supply some detail about what you are trying to do?

 

HTH

 

Rick

Beginner

Re: ASA5506 vlan routing help

Sorry, if my explanation was not clear. if i remove pbr then my computers are getting address from dhcp that has been configured on asa to vlan interface. if i set pbr then computers in this vlan interface stop getting address from dhcp server configured in asa.

Hall of Fame Master

Re: ASA5506 vlan routing help

Thanks for the explanation. Since we do not have any details of what you are doing it is difficult to know exactly what the issue is. But it seems logical that something in the operation of PBR is interfering with DHCP. Perhaps you could revise the acl that you use to identify traffic for PBR and deny packets related to DHCP? 

 

Am I correct in understanding that you have several vlans (and therefore several subnets) on your ASA? And so there would be several DHCP scopes? And that you are applying PBR to the interfaces for those several vlans? Perhaps you could post some details about this?

 

HTH

 

Rick