Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
1
Replies

3560 two ISP with ASA

Arthur Rack
Level 1
Level 1

‎08-26-2017 01:27 AM - edited ‎02-21-2020 06:14 AM

Hi.

 

I have configuration like in the attached picture.

 

3560.jpg 

I have 2 ISP. Both are sending me default route 0.0.0.0 to the Internet. ISP1 is primary, ISP2 is backup.

BGP is working fine on 3560, I can see those routes. But the traffic from VLANs first should go to ASA to do a NAT.

I have created default routes on 3560 for example:

 

DMZ_IP_address DMZ_SUBNET_MASK 10.100.100.2

 

 

and now hosts from VLANs are NAT'ed and can ping servers in DMZ etc, but they can't ping Internet hosts. Switch probably is sending traffic directly to ISP1, but firstly should send it to ASA.

 

So I have made and PBR on 3560:

 

ip access-list extended PBR-ACL
 permit ip 10.10.10.0 0.0.0.255 any

int vlan 10
ip policy route-map PBR-ACL2
set ip next-hop 10.100.100.2

Now hosts from VLAN 10 are able to ping both: DMZ and INTERNET hosts, but the inside communication is malfunctioning (beetwen VLANs). Host are able to ping each other, but there are some problems with other communication eg. SSH/telenet. I belive that the traffic from VLAN 10 firstly goes to ASA then comes back to 3560 and at the end it is delivered to hosts in other VLANs. Am I right ?

 

Can someone help me and tell me how to configure this scenario ?

 

P.S. I don't want to use ASA as the endpoint for ISPs.

 

 

 

 

Labels:
Preview file
34 KB
0 Helpful
1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

‎08-30-2017 01:17 AM

Hi Arthur,

Sounds like you need a VRF configured on the 3560 to segregate internal LAN and ASA <-> ISP traffic.

Since I don't know what your internal network looks like, it is probably easiest to create a VRF to contain your ISP router links and a third link going to your ASA, and leave the rest of the interfaces in the defaul VRF. Looking at your diagram, this can just be a subinterface on the exisiting trunk link between the 3560 and ASA.

You will need to configure either static or dynamic routing between the OUTSIDE VRF and the ASA.

The config below captures the details, please fill in the x's :

!
vrf definition OUTSIDE
  description OUTSIDE_ROUTING_TABLE
  ! 
  address-family ipv4
  exit-address-family
!
int Vlan 2
  descritpion LINK_TO_ISP1
  vrf forwarding OUTSIDE
  ip address x x
!
int Vlan 3
  description LINK_TO_ISP2
  vrf forwarding OUTSIDE
  ip address x x
!
int Vlan 4
  description LINK_TO_ASA
  vrf forwarding OUTSIDE
  ip address <asa_link_subnet>
!
router eigrp OUTSIDE
  !
  address-family ipv4 unicast vrf OUTSIDE auto 100
  !
  af-interface default
    passive-interface
  exit-af-interface
  !
  af-interface Vlan 3
    no passive-interface
  exit-af-interface
  !
  topology base
   redistribute bgp
  exit-af-topology
  !
  network <asa_link_subnet>
!

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card