Solved: Re: Dual ISP, one dedicated for Guest Wireless

lcaruso · ‎06-12-2013

Hi,

I want to confirm this design can work.

On a 5510 running 9.02 code, add a 2nd ISP dedicated to their Guest Wireless traffic only.

We would connect the Cisco 2504 controller port directly to the 5510, so the interfaces would be allocated like this

E0/0 outside1

E0/1 outside2

E0/2 inside

E0/3 dmz

M0/0 guest wireless

Since the ASA can only have one active default route, how would I force wireless guest traffic out the 2nd ISP port while allowing all other traffic to use the primary ISP port?

Also I assume on a 5510, unlike the newer ASAs, I can actually use the Management Port for non-management traffic just like the other ports.

Thanks.

Jouni Forss · ‎06-12-2013

Hi,

This worked in 9.1(1) code atleast

It made it so that the ASA would forward traffic from certain source interface/network out a certain interface

I presume the following base information for the configuration

WAN-2 is the Secondary ISP interface
WLAN-GUEST is the Wireless Guest interface
10.10.10.0/24 is the Wireless Guest network

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

object network WIRELESS-GUEST

subnet 10.10.10.0 255.255.255.0

nat (WLAN-GUEST,WAN-2) source dynamic WIRELESS-GUEST interface destination static ALL ALL

This should make it possible to both forward all traffic from network 10.10.10.0/24 through WAN-2 to the Internet. Naturally you also need a default route on the WAN-2 interface. If you wanted to enable some traffic between the WLAN-GUEST and other local networks/interfaces then you would need additional NAT configuration before this NAT configuration

And yes, you are able to use the Management0/0 port in the original ASA5500 Series as a Data interface.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎06-12-2013

Hi,

It is my understanding that with the above NAT we handle the first phase of getting the Wireless Guest traffic out the right interface. The NAT configuration should basically make the ASA choose the egress interface.

After this has been chosen then to my understanding the default route configured for this interface, even if its configured in with a worse metric, should be chosen since the ASA has already first chosen to which interface the traffic will be forwarded. And since that interface has been chosen it will use that interfaces default route.

Sadly I havent got a device setup currently with which I could test this again.

Check this thread where I answered similiar question. There I suggested using almost the same NAT configuration as above and the user confirmed that it works

https://supportforums.cisco.com/thread/2209874

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎06-12-2013

Hi,

This worked in 9.1(1) code atleast

It made it so that the ASA would forward traffic from certain source interface/network out a certain interface

I presume the following base information for the configuration

WAN-2 is the Secondary ISP interface
WLAN-GUEST is the Wireless Guest interface
10.10.10.0/24 is the Wireless Guest network

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

object network WIRELESS-GUEST

subnet 10.10.10.0 255.255.255.0

nat (WLAN-GUEST,WAN-2) source dynamic WIRELESS-GUEST interface destination static ALL ALL

This should make it possible to both forward all traffic from network 10.10.10.0/24 through WAN-2 to the Internet. Naturally you also need a default route on the WAN-2 interface. If you wanted to enable some traffic between the WLAN-GUEST and other local networks/interfaces then you would need additional NAT configuration before this NAT configuration

And yes, you are able to use the Management0/0 port in the original ASA5500 Series as a Data interface.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

lcaruso · ‎06-12-2013

I give a correct answer for effort alone

I'm pretty familiar with the nat tricks, but the nagging question, really, is the default route issue.

I've setup ASAs previously with two ISPs, and I know there can only be one default route with the lowest metric. The second default route can have a higher metric, but my experience has been this second default route only works for inbound traffic on the 2nd ISP interface, as one would expect on an ASA (you can't load balance or policy route).

So really the question stands, unless I'm mistaken, how will I route traffic from wireless guest network only to the 2nd ISP while routing all other traffic from the inside network to the 1st ISP. How can I make the ASA behave like a router with policy based routing?

Jouni Forss · ‎06-12-2013

Hi,

It is my understanding that with the above NAT we handle the first phase of getting the Wireless Guest traffic out the right interface. The NAT configuration should basically make the ASA choose the egress interface.

After this has been chosen then to my understanding the default route configured for this interface, even if its configured in with a worse metric, should be chosen since the ASA has already first chosen to which interface the traffic will be forwarded. And since that interface has been chosen it will use that interfaces default route.

Sadly I havent got a device setup currently with which I could test this again.

Check this thread where I answered similiar question. There I suggested using almost the same NAT configuration as above and the user confirmed that it works

https://supportforums.cisco.com/thread/2209874

Hope this helps

- Jouni

lcaruso · ‎06-12-2013

Interesting. Thanks for your contribution.

lcaruso · ‎06-20-2013

I had a discussion with TAC about this. They said the interface selection for outbound traffic is based on the default route, so the order of operations is (1) route lookup to select the interface (2) nat

rays · ‎10-08-2014

Hello, I have a similar requirement to this - 2x ASA5525-X in active/standby with dual ISPs and I want to send guest traffic out ISP1 and Corp out ISP2. I am proposing to use a port channel between the ASA outside and the DMZ switch which will carry both the ISP1 vlan and ISP2 vlan and use SVI interfaces on the ASA. This way I believe I can have 2x equal cost default routes, 1 to each ISP and do some round robin loadbalancing of outbound traffic, is that correct? Since I am using 1 single physical interface?

If I NAT the guest subnet to a public IP address from ISP1 then this by the default behaviour will force traffic to use ISP1 interface for egress traffic and return traffic should naturally flow back via ISP1.

My question is how would the ASA handle this in a failure situation where ISP1 went down? Is there a way to have a second NAT statement that NATs the guest subnet to a public address from ISP2 in the event of ISP1 going down? Or if not how can failover be achieved with this design?

Many thanks

Rays