Solved: Thank you very much for the

bloodemro · ‎11-06-2015

Hello,

I'm trying to achieve the following:

Have all internal/LAN clients access the internet via ISP1, but if they are trying to access the subnet 80.80.80.0/24, traffic should go through ISP2.

Right now I have something similar to the following static routes configured in the ASDM:

ISP1:

IP addres: 0.0.0.0

Netmask: 0.0.0.0

Gateway IP: 15.15.15.1

Metric 1

ISP2:

IP address: 80.80.80.0

Netmask: 255.255.255.0

Gateway IP: 20.20.20.1

Metric 1

The problem is that all traffic, including that for 80.80.80.0/24 still goes only through ISP1.

Anyone know how I can achieve this? My experience with Cisco ASA is very limited.

Thanks!

Jon Marshall · ‎11-07-2015

Your next hop IP for 80.80.80.0/24 is 20.20.20.1 but the ASA has no directly connected interface in that subnet.

So it then has to look for a route to that next hop and the only matching route is the default route which is why it is sending it that way.

Jon

View solution in original post

Shivapramod M · ‎11-06-2015

Hi,

When the firewall performs route lookup ideally it should select longest matching route. could you provide the "show route" output and also could you run the packet tracer on the ASA.

packet-tracer input <incoming interface> icmp <source ip> 8 0 <destiantion IP> det

ex: packet-tracer input inside icmp 10.0.0.10 8 0 80.80.80.8 det

Thanks,

Shivapramod M

bloodemro · ‎11-06-2015

Hi,

Thank you for your answer.

This is the show route output

ciscoasa5512(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 15.15.15.1 to network 0.0.0.0

C    192.168.50.0 255.255.255.0 is directly connected, management
C    20.20.20.32 255.255.255.224 is directly connected, ISP2
S    80.80.80.0 255.255.255.0 [1/0] via 20.20.20.1, ISP2
C    15.15.15.0 255.255.255.0 is directly connected, ISP1
C    192.168.1.0 255.255.255.0 is directly connected, internal
S    192.168.1.181 255.255.255.255 [1/0] via 15.15.15.1, ISP1
S    192.168.1.177 255.255.255.255 [1/0] via 15.15.15.1, ISP1
S*   0.0.0.0 0.0.0.0 [1/0] via 15.15.15.1, ISP1

And this is the packet tracer output. It seems that it's still going through ISP1:

ciscoasa5512(config)# packet-tracer input internal icmp 192.168.1.101 8 0$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         ISP1

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network INTERNET
nat (internal,ISP1) dynamic interface
Additional Information:
Dynamic translate 192.168.1.101/0 to 15.15.15.56/39488
Forward Flow based lookup yields rule:
in id=0x7fff9f5eab30, priority=6, domain=nat, deny=false
        hits=3461, user_data=0x7fff9f67ebc0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=internal, output_ifc=ISP1

Jon Marshall · ‎11-07-2015

Your next hop IP for 80.80.80.0/24 is 20.20.20.1 but the ASA has no directly connected interface in that subnet.

So it then has to look for a route to that next hop and the only matching route is the default route which is why it is sending it that way.

Jon

bloodemro · ‎11-07-2015

Thank you very much for the valuable help guys.

I was able to make it work. I also had to add a new NAT rule, to match the 80.80.80.0/24 destination subnet.

Regards,

Akshay Rastogi · ‎11-07-2015

Hi there,

You need to perform Policy based routing for your source 80.80.80.0/24 subnet. ASA or any device peform route lookup on the basis of Desintation IP. For Source Specific one, you need to perform policy based Routing.

ASA has PBR support starting from version 9.4.1 which could be run on you ASA5512-x.

Please use the link below to impletement the same :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

Hope this helps.

Regards,

Akshay Rastogi

Jon Marshall · ‎11-07-2015

Akshay

This is not PBR.

The OP is trying to send traffic for a specific destination subnet via a different interface.

He just needs a route with a next hop IP that is reachable via that interface.

Jon

Akshay Rastogi · ‎11-07-2015

Hi Jon,

Thanks for poinitng out. I completely missed out the point in route.

You are right. I could see that he is having Connected Route to ISP with subnet 20.20.20.32/27. He need a next Hop in the same subnet. Possibly he is using wrong next hop. it should be in /27 of .32 network.

Regards,

Akshay Rastogi

Akshay Rastogi · ‎11-06-2015

Hi there,

You need to perform Policy based routing for your source 80.80.80.0/24 subnet. ASA or any device peform route lookup on the basis of Desintation IP. For Source Specific one, you need to perform policy based Routing.

ASA has PBR support starting from version 9.4.1 which could be run on you ASA5512-x.

Please use the link below to impletement the same :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

Hope this helps.

Regards,

Akshay Rastogi

Cisco ASA 5512 - Route specific subnet through secondary provider