Solved: ASA 5510 with edge router that does PBR

craig-mitchell · ‎04-10-2011

Can someone provide me some guidance on how to configure an Asa that will have a default gateway to an edge router that will be doing PBR? We would like Internet surfing to go out one ISP while internally hosted services in the Asa DMZ would go through the other ISP. Can anyone provide configuration examples for both the edge router and the Asa? Thanks!!

Sent from Cisco Technical Support iPhone App

Shrikant Sundaresh · ‎04-10-2011

Hi Craig,

Unfortunately, using two ISPs on an ASA is not as easy or controllable, since there is no source based routing on the ASA.

However, to some extent it is possible by using static NATs. Kindly go through this link and see if scenario 2 in it helps in configuring the setup you need:

https://supportforums.cisco.com/docs/DOC-15622

For examples on policy based routing on routers, you can go through this Cisco Configuration Guide.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html

Hope this helps.

-Shrikant

P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

Shrikant Sundaresh · ‎04-10-2011

Hi Craig,

Unfortunately, using two ISPs on an ASA is not as easy or controllable, since there is no source based routing on the ASA.

However, to some extent it is possible by using static NATs. Kindly go through this link and see if scenario 2 in it helps in configuring the setup you need:

https://supportforums.cisco.com/docs/DOC-15622

For examples on policy based routing on routers, you can go through this Cisco Configuration Guide.

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html

Hope this helps.

-Shrikant

P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.

sean_evershed · ‎04-10-2011

Hi, See below a config example where PBR is being performed on the outside router connected to the ASA:

https://supportforums.cisco.com/docs/DOC-13015

craig-mitchell · ‎04-15-2011

Okay, can someone verify the following configs (I have attached the relevant portions of the ASA 5510 and the Edge 2811 Router doing PBR)

ASA CONFIG

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.2.1 255.255.255.0

access-list send_to_new_isp remark Translate User Traffic to New ISP

access-list send_to_new_isp permit tcp any any eq 80

access-list send_to_new_isp permit tcp any any eq 443

global (outside) 50 2.2.2.2

global (outside) 101 interface

nat (inside) 50 access-list send_to_new_isp

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1.1.1.254 1

EDGE ROUTER CONFIG

!

interface FastEthernet0/0

description Connection to ASA

ip address 1.1.1.254 255.255.255.0

ip policy route-map Internet_traffic

!

interface FastEthernet0/1

description New ISP Internet

ip address 2.2.2.254 255.255.255.0

!

interface Serial0/0/0

ip address 5.5.5.5

255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

ip route 2.2.2.2 255.255.255.255 1.1.1.1

!

access-list 101 permit tcp host 2.2.2.2 any eq www

access-list 101 permit tcp host 2.2.2.2 any eq 443

route-map Internet_traffic permit 10

match ip address 101

set ip next-hop 2.2.2.100

!

route-map Internet_traffic permit 20

set interface Serial0/0/0