11-14-2013 12:56 PM - edited 03-11-2019 08:05 PM
This is more liked a router question. But I need to implement it on an ASA5515-X, let see if it's possible to do so.
How can I only route one internal host to use a backup WAN link?
I check the "route" command on ASA, doesn't seem to be an option...
Thanks so much!
Solved! Go to Solution.
11-14-2013 04:02 PM
Hi,
The configuration would be something like this
nat (LAN,SECONDARY) source dynamic HOST interface destination static CLOUD CLOUD
And this would make the situation a lot simpler also. This is because the SECONDARY link would only be used for the destination IP address used under the "object network CLOUD". All other traffic from this host would continue to use the PRIMARY link.
The worse default route wouldnt really cause any problems with anything as its not active in the routing table. It only use would be in this case to forward the traffic towards the CLOUD IP address after the NAT configuration has chosen the correct egress interface SECONDARY for that destination IP address.
- Jouni
11-14-2013 01:06 PM
Hello Keith,
You are looking for PBR (Route based on a source IP address).
Unfortunetely this can't be accomplished on the ASA as it does not support PBR.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-14-2013 01:14 PM
A. Unfortunately, there is no way to do policy-based routing on the ASA at this time. It can be a feature that is added to the ASA in the future.
Note: The route-map command is used to redistribute routes between routing protocols, such as OSPF and RIP, with the use of metrics and not to policy route regular traffic as in routers.
11-14-2013 01:15 PM
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml
11-14-2013 01:24 PM
Hi,
Even though PBR itself is not supported by the ASA you can simulate similiar operation with NAT configurations.
An example configuration would be
interface GigabitEthernet0/0
description Primary ISP
nameif PRIMARY
security-level 0
ip address 192.168.101.2 255.255.255.0
!
interface GigabitEthernet0/1
description Secondary ISP
nameif SECONDARY
security-level 0
ip address 192.168.102.2 255.255.255.0
!
interface GigabitEthernet0/2
description LAN
nameif LAN
security-level 100
ip address 10.10.10.1 255.255.255.0
route PRIMARY 0.0.0.0 0.0.0.0 192.168.101.1 1
route SECONDARY 0.0.0.0 0.0.0.0 192.168.102.1 254
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
object network HOST
host 10.10.10.10
nat (LAN,SECONDARY) source dynamic HOST interface destination static ALL ALL
nat (LAN,PRIMARY) after-auto source dynamic any interface
The problem with the above setup is the fact that the NAT configuration will start to play even larger role for this single host. The above NAT configuration for the HOST catches traffic to ALL destinations address and forwards them to the SECONDARY interface and uses its lesser default route.
If the HOST needs to access other LAN/DMZ interface on the ASA you MUST configure additional NAT configurations before the special NAT rule for the SECONDARY interface.
So I cant really give you an exact configuration unless I know your setup specifically.
Hope this helps
- Jouni
11-14-2013 03:18 PM
The problem with that configuration would be that in most cases if the secondary link fails and you still need to route traffic you won't have a failover mechanism because you are forcing traffic through secondary interface, which in many cases it is not desired.
Since there is a lot to consider Cisco does not recommend this configuration
11-14-2013 03:35 PM
Hi,
Yes, the configuration is most likely something that is not good for every situation. I am not sure if its something that would be a good choice in the long run. It is something that will get the job done for someone that want to accomplish this kind of behaviour but also requires the user to understand how it behaves and how possible new NAT configurations need to be positioned for them to work correctly.
If the user wishes any kind of Failover of the WAN link for this single HOST he would have to manually remove the mentioned NAT configuration for the traffic to match to the normal Dynamic PAT configuration located at a lower Section.
The correct way would probably be to rather use a Router infront of the ASA and have it connect to both of the ISP links and perform PBR on the Router. We dont do this kind of NAT configurations on our production environment its (PBR) always done on the 6500/7600 core devices.
Would be great if the ASA would support the same kind of scripting as the routers Could play so much more with the NAT operation and traffic forwarding with the ASA. Not that it would be anywhere near user friendly anymore but I would be happy to test
- Jouni
11-14-2013 03:57 PM
Thanks all for helping!
After posting, I was looking into route-map actually and got excited!
However, knowing it's not going to work on ASA (not even 9.1.2?!), just quite disappointed...
Jouni, we basically just want that host to use the backup ISP for a specific destination. So that I should have something like this:
object network HOST
host 10.32.2.90
object network CLOUD
host 1.1.1.1
nat (LAN,SECONDARY) source dynamic HOST interface destination static CLOUD interface
Yes, we have a floating static route set up for the backup WAN, so I guess this is not a good way to solve this issue.
11-14-2013 04:02 PM
Hi,
The configuration would be something like this
nat (LAN,SECONDARY) source dynamic HOST interface destination static CLOUD CLOUD
And this would make the situation a lot simpler also. This is because the SECONDARY link would only be used for the destination IP address used under the "object network CLOUD". All other traffic from this host would continue to use the PRIMARY link.
The worse default route wouldnt really cause any problems with anything as its not active in the routing table. It only use would be in this case to forward the traffic towards the CLOUD IP address after the NAT configuration has chosen the correct egress interface SECONDARY for that destination IP address.
- Jouni
11-14-2013 05:17 PM
I see, thanks Jouni and everyone!
Let's hope that the Policy Routing will be implemented to ASA in the new future release.
Messing w/ nat on a production environment is not something fun, esp with zero-tolerated situation...
So, we decided to put back the static route for that CLOUD destination only.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: