My ASA 5512-X is ASA 9.4(2). Now I need create 7 VLANs and connect 3 ISP.
VLAN2 (IP Phone) and vlan 3 (for PC) use ISP 1
VLAN4 and 5 (for PC) use ISP2
VLAN6,7,8 (for WiFi) use ISP3
and I need NAT to NAS, FTP,etc
I find this page and something is same as my case
May I follow this to complete my task?
Go to Solution.
Do you have a common public address pool across all ISPs?
I'm guessing not. If not then you would need to use policy routing. You should upgrade to 9.5(2) before using policy routing due to bugs.
View solution in original post
I think only one IP can be use.
And my supplier help me set PBR but when I use this CLI:
packet-tracer input vlan3 icmp 192.168.3.1 0 0 126.96.36.199
Phase: 1Type: ROUTE-LOOKUPSubtype: Resolve Egress InterfaceResult: ALLOWConfig:Additional Information:found next-hop 192.168.188.1 using egress ifc ISP1
Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group vlan3_access_in in interface vlan3access-list vlan3_access_in extended permit ip any anyAdditional Information:
Phase: 3Type: NATSubtype:Result: ALLOWConfig:object network vlan3 nat (vlan3,ISP1) dynamic interfaceAdditional Information:
Phase: 4Type: NATSubtype: per-sessionResult: ALLOWConfig:Additional Information:
Phase: 5Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:
Result:input-interface: vlan3input-status: upinput-line-status: upoutput-interface: ISP1output-status: upoutput-line-status: upAction: dropDrop-reason: (nat-xlate-failed) NAT failed
system will show this result. And the result is drop, but i can ping and get echo reply on my pc. If I ping tcp www is all allow. Why ?
Maybe packet-tracer isn't PBR aware. Maybe it is because you are using 9.4(2). Not sure. PBR on the ASA is very new.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: