03-08-2017 04:42 PM - last edited on 03-25-2019 05:59 PM by ciscomoderator
I have two ISP outbound circuits connected to a 5520 ASA version 8.4(7). I can't figure out how to create a route based on source ip rather than destination IP. In a nutshell, I want to route WIFI and web conferencing via one interface and web servers via the other interface to split the traffic load. I can't do regular load balancing because were not an Autonomous System and the ISPs are different.
The logic needs to work something like this:
Source Destination Gateway
Vlan100 0.0.0.0 IPaddress for ISP1 <--------- Send Wifi trafic to ISP1
Vlan200 0.0.0.0 IPaddress for ISP1 <------------send web conference traffic to ISP1
0.0.0.0 0.0.0.0 IPaddress for ISP2 <--------- default gateway via ISP2
This looks like policy based routing to me, but I don't think I can upgrade the version on my ASA to 9.4. Is there I work around I could use? I'm trying to figure out how to do it with ACL's, but I'm coming up short on ideas. The only idea I have would be to connect a second firewall and switch to my Core switch and manage that traffic as if it was a remote office with a layer2 point to point connection. I'd rather not add the extra cost and complexity to the setup, if I can avoid it. Thanks for your help.
03-08-2017 06:03 PM
Hi
You're right you can't upgrade to latest version supporting pbr and what you want to achieve its pbr.
There is no way to achieve a source routing. You can do workaround to quite load balance the traffic between both ISPs.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
03-09-2017 01:48 PM
Is it possible to load balance outbound traffic even when it is natted?
03-09-2017 06:19 PM
You can load balance based on ports, for example http and https to 1 isp and the rest to other isp.
Or you can set 2 routes for example 128.0.0.0/1 to 1 isp and 0.0.0.0/1 to the other isp.
Does that answer your question
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
03-09-2017 10:28 AM
Hi,
Please check the below link having scenarios of PBR supported on ASA if this meets your requirement.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html
Regards
Tripat Kaur
03-09-2017 02:25 PM
Looking at that, I think PBR would work using an ACL and policy specifying the next hop based on source address. The trouble is my ASA is a 5520 and will only run version 9.1x
Right now I need to work out a way to make this happen with the hardware we have on hand. I have a spare 5515 ASA and a 2960 switch that I could put into play. Right now I'm thinking of a scheme that would work like this:
1) trunk VLAN100 and VLAN200 from the core switch to a second ASA.
2) Connect second ASA to ISP1
3) Address the vlan interfaces on the second ASA and use those as the GW address for each VLAN.
4) set default route on second ASA to use ISP1
5) create static routes on the new ASA for all internal networks that would point to my core switch. This entail creating a couple dozen static routes.
6) create static routes on my core switch pointing to the new ASA for VLAN100 and VLAN200.
Do you think this would work?
03-09-2017 06:14 PM
Hi
Yes it should work. From your core switch, you can also use pbr to route to 1st asa or 2nd asa.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide