Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3695
Views
7
Helpful
7
Replies

ASA 5512 X, 2 Outside and 2 Inside Interface. How to configure routing for each seperately

ajay.kumar
Level 1
Level 1

‎06-08-2013 03:56 PM - edited ‎03-11-2019 06:55 PM

Hello,

I have a Cisco 5512 x Firewall connected with Cisco Layer 3 switch 3750.

I have two different WAN connections, one for Data and one for voice. Cisco Layer 3 switch is configured with 2 different VLAN's one for data & other is Voice Vlan. Switch is providing DHCP to computers and IP phones. Voice Pool 192.168.10.0/24 Vlan10 and Data pool 192.168.20.0/24 Vlan20.

I need to route my data & voice traffic seperately.

Cisco ASA is connected with two different ISP's. So, how can I do this configuration so that Voice and Data traffic will route seperately.

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-08-2013 07:25 PM

Hello Sr,

Well you cant do PBR on the ASA so u will need to trick the ASA for this to happen.

With NAT u would be able to send http traffic over one link and HTTPS over the other one ( not officially supported. Is more of a hack)

The other thing would be to route traffic based on destinations

Regards

Julio

Rate all of the helpful posts


Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ajay.kumar
Level 1
Level 1
In response to Julio Carvajal

‎06-09-2013 09:10 AM

ASA 5512x

Wan Interface Outside1     :     203.123.33.105 255.255.255.248

Wan Interface Outside2     :     61.66.74.150 255.255.255.248

Lan Inside:     192.168.20.1 255.255.255.0

------------------------------------------------------------------------------------------------------

Switch 3750 Layer 3

Connected with ASA :     192.168.20.2 255.255.255.0

Voice VLan             :     192.168.10.0/24

Data VLan              :     192.168.20.0/24

------------------------------------------------------------------------------------------------------

Both outside intefaces are up.

I can route the data traffic coming from Data Vlan and traffic is routing through Outside1 interface perfectly.

Switch is configured with QOS and IP phones & lapotps are picking correct IP's through DHCP configured for both VLan. I can ping the ASA Lan inteface in switch from both VLan's.

Now I am facing following problems:

1. I am not able to ping between data and voice vlan's.

2. Voice traffic is not routing through Outside2 interface.

Can anyone please tell me which access-list and NAT policies I have to make for this topology.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ajay.kumar

‎06-09-2013 09:32 AM

Hello Ajay,

Okey,

Issue 1)

Both networks are behind the ASA, so make sure you have the same-security-traffc permit intra-interface.

You should have the inspection for the ICMP protocol.

do the following:

packet-tracer input inside 192.168.10.15 8 0 192.168.20.10

packet-tracer input inside 192.168.20.10 8 0 192.168.10.15

Issue 2)

Well again, you cannot route based on source IP addresses,

Are you trying to go to a specific subnet/device via the WAN2 interface

Rate all of the helpful posts, keep us motivated to keep replying

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ajay.kumar
Level 1
Level 1
In response to Julio Carvajal

‎06-13-2013 04:29 PM

1. Can i connect two ASA's with L3 switch and do the routing in the switch for different Vlan's traffic will go through different ASA interfaces.

2. If I place a router for different ISP's.

ISP1 & ISP2 - Router - ASA - Switch with 2 vlan's

In this way can I route the traffic of vlan's to different ISP's.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ajay.kumar

‎06-13-2013 05:15 PM

1) As long that traffic traverses the ASA (so stateful inspection engine pass) u are good to go.

2) Exactly, that's the best way to go Doing the PBR on the router

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ajay.kumar
Level 1
Level 1
In response to Julio Carvajal

‎06-13-2013 06:05 PM

which router will be best for this. I have to use 2 WAN interfaces for Data & Voice (IP Phones). 2 site to site VPN Tunnels. And Users may access VPN through VPN Client or Cisco anyconnect VPN. Also we have to connect PBX.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ajay.kumar

‎06-13-2013 08:08 PM

Hello,

I not consider myself a person that can recommend a router

But what about one from the 2800 series (The 2821 is one great Integrated Service Router)

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/ps5882/product_data_sheet0900aecd8016fa68.pdf

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card