07-27-2017 12:19 PM - edited 03-12-2019 02:45 AM
We have an existing ASA which handles our Internet and inbound from the Internet static NAT'd SFTP, SIP and Web Server traffic. We want to add a second ASA which the existing ASA would forward 0.0.0.0 Internet bound traffic to this new ASA. When doing this we want to keep the inbound SFTP, SIP and Web Server traffic on the existing ASA. Attached is a diagram of what we would like to achieve and I appreciate any recommendations and help.
Jeff
Solved! Go to Solution.
07-28-2017 03:15 PM
First, we need to configure interfaces.
ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif outside-1 ciscoasa(config-if)# ip address 192.168.6.5 255.255.255.0 ciscoasa(config)# interface GigabitEthernet0/2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif outside-2 ciscoasa(config-if)# ip address 172.16.7.6 255.255.255.0
Then, we need to configure an access-list for matching the traffic.
ciscoasa(config)# access-list acl-1 permit ip 10.1.0.0 255.255.0.0 ciscoasa(config)# access-list acl-2 permit ip 10.2.0.0 255.255.0.0
We need to configure a route-map by specifying the above access-list as match criteria along with the required set actions.
ciscoasa(config)# route-map equal-access permit 10 ciscoasa(config-route-map)# match ip address acl-1 ciscoasa(config-route-map)# set ip next-hop 192.168.6.6 ciscoasa(config)# route-map equal-access permit 20 ciscoasa(config-route-map)# match ip address acl-2 ciscoasa(config-route-map)# set ip next-hop 172.16.7.7 ciscoasa(config)# route-map equal-access permit 30 ciscoasa(config-route-map)# set ip interface Null0
Now, this route-map has to be attached to an interface.
ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# policy-route route-map equal-access
To display the policy routing configuration.
ciscoasa(config)# show policy-route Interface Route map GigabitEthernet0/0 equal-access
07-27-2017 04:54 PM
Hi Jeff,
Yes, it is possible you can connect to the internal server
Regards,
Mohammad Ishaq
07-28-2017 10:47 AM
I assume its as simple as specifying a 0.0.0.0 0.0.0.0 static route pointing to ASA2? We are concerned about asymmetrical routing, for example SFTP will come in on ASA1 but leave on ASA2.
Thank you.
Jeff
07-28-2017 11:22 AM
Hi Jeff,
Yes, It is possible that we can have the asymmetric routing but we can overcome that through configuring PBR on the ASA1 to route the internal server traffic.
Regards,
Mohammad Ishaq
07-28-2017 11:40 AM
I would greatly appreciate an example policy to get me started for research and I will then test in a lab.
Thanks again.
Jeff
07-28-2017 03:15 PM
First, we need to configure interfaces.
ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif outside-1 ciscoasa(config-if)# ip address 192.168.6.5 255.255.255.0 ciscoasa(config)# interface GigabitEthernet0/2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif outside-2 ciscoasa(config-if)# ip address 172.16.7.6 255.255.255.0
Then, we need to configure an access-list for matching the traffic.
ciscoasa(config)# access-list acl-1 permit ip 10.1.0.0 255.255.0.0 ciscoasa(config)# access-list acl-2 permit ip 10.2.0.0 255.255.0.0
We need to configure a route-map by specifying the above access-list as match criteria along with the required set actions.
ciscoasa(config)# route-map equal-access permit 10 ciscoasa(config-route-map)# match ip address acl-1 ciscoasa(config-route-map)# set ip next-hop 192.168.6.6 ciscoasa(config)# route-map equal-access permit 20 ciscoasa(config-route-map)# match ip address acl-2 ciscoasa(config-route-map)# set ip next-hop 172.16.7.7 ciscoasa(config)# route-map equal-access permit 30 ciscoasa(config-route-map)# set ip interface Null0
Now, this route-map has to be attached to an interface.
ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# policy-route route-map equal-access
To display the policy routing configuration.
ciscoasa(config)# show policy-route Interface Route map GigabitEthernet0/0 equal-access
07-31-2017 07:06 AM
Mohammad:
I assume the 10.1 and 10.2 networks are where our SFTP, SIP, Web servers are and I can replace the subnets with individual IP addresses of the servers?
Thanks for all the help.
Jeff
07-31-2017 09:39 AM
Hi Jeff,
Yes, You got it right. That will route the traffic towards the next desired interface.
Regards,
Mohammad Ishaq
07-31-2017 11:25 AM
Thank you.
07-31-2017 03:16 PM
Welcome!
Please rate helpful and mark correct answers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide