Solved: Possible? - Page 2

Federico Coto Fajardo · ‎10-11-2011

Hi Team!

Here's the scenario:

Bunch of networks -- ASA -- ISP1

-- ISP2

The deal is that the customer wants one of the networks 172.16.x.0/24 to use ISP2 as its main exit, while keeping all other networks using ISP1.

We know there's no PBR functionality on ASA, and also there are some workarounds with NAT, but this is the problem that I'm having:

Current config for ISP1 for all networks:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

route outside 0 0 x.x.x.x 1

Works perfectly fine.

I add the following to try to make 172.16.x.0/24 to use ISP2.

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 1 --> as soon as I enter this command the ASA complains, it won't allow it... fine, so I did as per this document:

https://supportforums.cisco.com/docs/DOC-15622

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

But that drops the Internet connection.

Funny thing is that if I do the following:

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 2

Then, the inside host can't get to the Internet... seems to me that having an AD of ''2'' on the default route the ASA won't use it since it has a better route pointing to the original ISP1.

So, can this be done?

Thanks!

Federico.

varrao · ‎10-11-2011

Cheers Fed and cheers to you as well Jon, it was a useful discussion.

Varun

Thanks,
Varun Rao

Jon Marshall · ‎10-11-2011

Agreed, it cleared a few things up for me as well.

Jon

Jon Marshall · ‎10-11-2011

edited for spacing

varrao · ‎10-11-2011

Yup Jon, you've hit the nail on its head, thats what I meant but never realized that it got lost in the discussion and got overlooked... lol . I am very confident about that since its something I have tested and works as expected. In this config, we can eliminate the route issue and just route packets based on DNAT, so the firewall would not even look for the default route. Only condition -----> 172.16.x.x shoudl be behind another separate interface.

Thanks,

Varun

Thanks,
Varun Rao

Jon Marshall · ‎10-11-2011

Federico / Varun

A thought just occured. Varun wrote -

I don't think so it shoudl work the way we are trying to, since I ahev also never tested it. The only thing that I have tested is if your 172.16.x.0 is connected behind another interface rqather than inside, lets say inside_2, then this can be accomplished:

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

I have never done this so i may be misunderstanding but Varun seems to be suggesting with this config all traffic from inside2 would be routed out of new_outside. If this is the case then either -

1) do you have a spare interface you could route the 172.16.x.x addresses to on the inside

or

2) if you don't could you use subinterfaces on the inside interface and route just the 172.16.x.x to one of the subinterfaces and the rest of the traffic to the other

Varun, if i have misunderstood what that config does please let me know.

Jon

Federico Coto Fajardo · ‎10-11-2011

It will be a matter of just having another ''inside'' interface (subinterface)?

Federico.

Jon Marshall · ‎10-11-2011

Federico

It looks like it. As i say i personally haven't done it but Varun has and his knowledge of the ASA is better than mine.

You would need a separate inside interface, whether physical or a subinterface and you would need to route the 172.16.x.x traffic to that subinterface.

Varun - presumably you would still need to NAT the source IPs 172.16.x.x to the outside interface so they are returned to the outside_new interface ie.

nat (inside) 2 172.16.0.0 255.255.0.0

global (outside_new) 2 interface

because i'm assuming that the static statement doesn't take care of natting source IPs ?

Jon

varrao · ‎10-11-2011

Oh yes, thats for sure, that part of the config is only for routing the traffic out of the new_outside interface. But with out source nat it would not work. So that nat global statment is definitely needed.

Varun

Thanks,
Varun Rao

Federico Coto Fajardo · ‎10-11-2011

Varun, Jon,

So the config would look like this?

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

nat (inside_2) 2 172.16.0.0 255.255.0.0

global (outside_new) 2 interface

Assuming:

inside_2 --> New Inside interface (subinterface)

new_outside --> ISP2

In this way all traffic sourced from 172.16.x.x arrived to the ASA, it is sent to ISP2?

Federico.

varrao · ‎10-11-2011

Bingo

Varun

Thanks,
Varun Rao

Federico Coto Fajardo · ‎10-11-2011

Too bad I don't think we can do it via another interface in this particular case!

But good to know!!! Thank you guys one more time ;-)

varrao · ‎10-11-2011

No issues but this config should definitely work, so anytime you can try it, just give it a shot and do let us know the outcome.

Varun

Thanks,
Varun Rao