Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
4
Replies

May I set load balancing on ASA 9.4?

Go to solution
cwhlaw2009
Level 1
Level 1

‎01-20-2016 03:40 AM - edited ‎02-21-2020 05:42 AM

My ASA 5512-X is ASA 9.4(2). Now I need create 7 VLANs and connect 3 ISP.

VLAN2 (IP Phone) and vlan 3 (for PC) use ISP 1 

VLAN4 and 5 (for PC) use ISP2

VLAN6,7,8 (for WiFi) use ISP3

and I need NAT to NAS, FTP,etc

I find this page and something is same as my case

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html

May I follow this to complete my task?

THX

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-20-2016 04:00 PM

Do you have a common public address pool across all ISPs?

I'm guessing not.  If not then you would need to use policy routing.  You should upgrade to 9.5(2) before using policy routing due to bugs.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-20-2016 04:00 PM

Do you have a common public address pool across all ISPs?

I'm guessing not.  If not then you would need to use policy routing.  You should upgrade to 9.5(2) before using policy routing due to bugs.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

0 Helpful

Go to solution
cwhlaw2009
Level 1
Level 1
In response to Philip D'Ath

‎01-20-2016 06:21 PM

I think only one IP can be use.

And my supplier help me set PBR but when I use this CLI:

packet-tracer input vlan3 icmp 192.168.3.1 0 0 8.8.8.8 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.188.1 using egress ifc ISP1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group vlan3_access_in in interface vlan3
access-list vlan3_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network vlan3
nat (vlan3,ISP1) dynamic interface
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: vlan3
input-status: up
input-line-status: up
output-interface: ISP1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

system will show this result. And the result is drop, but i can ping and get echo reply on my pc. If I ping tcp www is all allow. Why ? 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to cwhlaw2009

‎01-20-2016 06:21 PM

Maybe packet-tracer isn't PBR aware.  Maybe it is because you are using 9.4(2).  Not sure.  PBR on the ASA is very new.

0 Helpful

Go to solution
cwhlaw2009
Level 1
Level 1
In response to Philip D'Ath

‎01-20-2016 06:26 PM

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card