06-12-2013 08:51 AM - edited 03-11-2019 06:56 PM
Hi,
I want to confirm this design can work.
On a 5510 running 9.02 code, add a 2nd ISP dedicated to their Guest Wireless traffic only.
We would connect the Cisco 2504 controller port directly to the 5510, so the interfaces would be allocated like this
E0/0 outside1
E0/1 outside2
E0/2 inside
E0/3 dmz
M0/0 guest wireless
Since the ASA can only have one active default route, how would I force wireless guest traffic out the 2nd ISP port while allowing all other traffic to use the primary ISP port?
Also I assume on a 5510, unlike the newer ASAs, I can actually use the Management Port for non-management traffic just like the other ports.
Thanks.
Solved! Go to Solution.
06-12-2013 09:12 AM
Hi,
This worked in 9.1(1) code atleast
It made it so that the ASA would forward traffic from certain source interface/network out a certain interface
I presume the following base information for the configuration
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
object network WIRELESS-GUEST
subnet 10.10.10.0 255.255.255.0
nat (WLAN-GUEST,WAN-2) source dynamic WIRELESS-GUEST interface destination static ALL ALL
This should make it possible to both forward all traffic from network 10.10.10.0/24 through WAN-2 to the Internet. Naturally you also need a default route on the WAN-2 interface. If you wanted to enable some traffic between the WLAN-GUEST and other local networks/interfaces then you would need additional NAT configuration before this NAT configuration
And yes, you are able to use the Management0/0 port in the original ASA5500 Series as a Data interface.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-12-2013 09:38 AM
Hi,
It is my understanding that with the above NAT we handle the first phase of getting the Wireless Guest traffic out the right interface. The NAT configuration should basically make the ASA choose the egress interface.
After this has been chosen then to my understanding the default route configured for this interface, even if its configured in with a worse metric, should be chosen since the ASA has already first chosen to which interface the traffic will be forwarded. And since that interface has been chosen it will use that interfaces default route.
Sadly I havent got a device setup currently with which I could test this again.
Check this thread where I answered similiar question. There I suggested using almost the same NAT configuration as above and the user confirmed that it works
https://supportforums.cisco.com/thread/2209874
Hope this helps
- Jouni
06-12-2013 09:12 AM
Hi,
This worked in 9.1(1) code atleast
It made it so that the ASA would forward traffic from certain source interface/network out a certain interface
I presume the following base information for the configuration
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
object network WIRELESS-GUEST
subnet 10.10.10.0 255.255.255.0
nat (WLAN-GUEST,WAN-2) source dynamic WIRELESS-GUEST interface destination static ALL ALL
This should make it possible to both forward all traffic from network 10.10.10.0/24 through WAN-2 to the Internet. Naturally you also need a default route on the WAN-2 interface. If you wanted to enable some traffic between the WLAN-GUEST and other local networks/interfaces then you would need additional NAT configuration before this NAT configuration
And yes, you are able to use the Management0/0 port in the original ASA5500 Series as a Data interface.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-12-2013 09:28 AM
I give a correct answer for effort alone
I'm pretty familiar with the nat tricks, but the nagging question, really, is the default route issue.
I've setup ASAs previously with two ISPs, and I know there can only be one default route with the lowest metric. The second default route can have a higher metric, but my experience has been this second default route only works for inbound traffic on the 2nd ISP interface, as one would expect on an ASA (you can't load balance or policy route).
So really the question stands, unless I'm mistaken, how will I route traffic from wireless guest network only to the 2nd ISP while routing all other traffic from the inside network to the 1st ISP. How can I make the ASA behave like a router with policy based routing?
06-12-2013 09:38 AM
Hi,
It is my understanding that with the above NAT we handle the first phase of getting the Wireless Guest traffic out the right interface. The NAT configuration should basically make the ASA choose the egress interface.
After this has been chosen then to my understanding the default route configured for this interface, even if its configured in with a worse metric, should be chosen since the ASA has already first chosen to which interface the traffic will be forwarded. And since that interface has been chosen it will use that interfaces default route.
Sadly I havent got a device setup currently with which I could test this again.
Check this thread where I answered similiar question. There I suggested using almost the same NAT configuration as above and the user confirmed that it works
https://supportforums.cisco.com/thread/2209874
Hope this helps
- Jouni
06-12-2013 10:03 AM
Interesting. Thanks for your contribution.
06-20-2013 10:53 AM
I had a discussion with TAC about this. They said the interface selection for outbound traffic is based on the default route, so the order of operations is (1) route lookup to select the interface (2) nat
10-08-2014 09:59 AM
Hello, I have a similar requirement to this - 2x ASA5525-X in active/standby with dual ISPs and I want to send guest traffic out ISP1 and Corp out ISP2. I am proposing to use a port channel between the ASA outside and the DMZ switch which will carry both the ISP1 vlan and ISP2 vlan and use SVI interfaces on the ASA. This way I believe I can have 2x equal cost default routes, 1 to each ISP and do some round robin loadbalancing of outbound traffic, is that correct? Since I am using 1 single physical interface?
If I NAT the guest subnet to a public IP address from ISP1 then this by the default behaviour will force traffic to use ISP1 interface for egress traffic and return traffic should naturally flow back via ISP1.
My question is how would the ASA handle this in a failure situation where ISP1 went down? Is there a way to have a second NAT statement that NATs the guest subnet to a public address from ISP2 in the event of ISP1 going down? Or if not how can failover be achieved with this design?
Many thanks
Rays
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide