Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
0
Helpful
0
Replies

Route PPPOE into different static route in ASA

El Rondo
Level 1
Level 1

‎10-12-2021 12:08 AM

I have ASA 5506 version 9.8(2) in my office which connected to two (2) ISPs. I had implemented PBR to split our LAN subnet JTP and WIFI_JTP to respective route map. Subnet JTP which comes from wired vlan route-map to ISP 2 MYNET static ip and subnet WIFI_JTP comes from wifi vlan route-map to ISP 1 UNIFI going through pppoe dynamic ip. Both subnet JTP and WIFI_JTP were successfully routed to internet. Further more, I have another remote office (HQ) which all servers subnet 10.151.25.0/24 were resided. There is a requirement where all vlans in my office needed access to HQ server subnet. Both HQ and my office subnet were connected using ISP 2 MYNET through WAN interface. My vlan JTP (wired) have no issue connecting to HQ server subnet 10.151.25.0/24 because they are in the same gateway and properly NATted. However I have issue where vlan WIFI_JTP (wifi) cannot getting routed to server HQ server subnet due to there were in the different routed-map UNIFI. How can I achieve my objective to enable vlan WIFI_JTP (wifi) route to 10.151.25.0/24 in ASA? I have did static route "route WAN 10.151.25.0 255.255.255.0 10.151.21.1 1" to push any request to interface WAN but unfortunately still failed. Any suggestions on this really appreciate. Below is sanitized config related to only effected requirement in my ASA.

 

interface GigabitEthernet1/1
 description /* connect to ISP 2 MYNET */
 nameif WAN
 security-level 0
 ip address 10.151.21.3 255.255.255.248
!
interface GigabitEthernet1/2
 description /* connect to inside LAN */
 nameif LAN
 security-level 100
 ip address 172.31.5.2 255.255.255.240
 policy-route route-map MYNET
!
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3.1
 description /* connect to ISP 1 UNIFI */
 vlan 500
 nameif UNIFI
 security-level 0
 pppoe client vpdn group GROUP_UNIFI
 ip address pppoe setroute

object network JTP
 subnet 172.31.6.0 255.255.255.0
 description /* cable LAN */

object network WIFI_JTP
 subnet 172.31.18.0 255.255.255.0
 description /* wifi LAN */

object network REMOTE-SERVER-NETWORK
 subnet 10.151.25.0 255.255.255.0
 description /* remote server network */

object-group network ALL_MYNET_LAN
 description /* All Vlan directed to MYNET */
 network-object object JTP

object-group network ALL_INSIDE_LAN
 description /* All vlan from inside interface */
 network-object object JTP
 network-object object WIFI_JTP

object-group service TCP_Allow tcp
 port-object eq domain
 port-object eq exec
 port-object eq finger
 port-object eq ftp
 port-object eq ftp-data
 port-object eq h323
 port-object eq hostname
 port-object eq https
 port-object eq www
 port-object eq ssh
 port-object eq telnet
 port-object eq login
 port-object eq whois
 port-object eq 1433
 port-object eq 8080
 port-object eq smtp

access-list ACL_MYNET extended permit ip object-group ALL_MYNET_LAN any
access-list INSIDE_ACCESS_IN extended permit tcp object-group ALL_INSIDE_LAN any object-group TCP_Allow log

mtu LAN 1500
mtu UNIFI 1492

object network JTP
 nat (LAN,WAN) dynamic 10.151.21.5

object network WIFI_JTP
 nat (LAN,UNIFI) dynamic interface

access-group INSIDE_ACCESS_IN in interface LAN

route-map MYNET permit 10
 match ip address ACL_MYNET
 set ip next-hop 10.151.21.1

route WAN 0.0.0.0 0.0.0.0 10.151.21.1 2
route WAN 10.151.25.0 255.255.255.0 10.151.21.1 1
route LAN 172.31.0.0 255.255.224.0 172.31.5.1 1
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card