Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1360
Views
0
Helpful
7
Replies

Two Internet Connection before FIREWALL and VLANS

Imran Irshad
Level 1
Level 1

‎05-19-2016 10:29 AM - edited ‎03-12-2019 12:46 AM

Dear Experts,

I got an issue with my scenario and unable to understand really what need to do 

I have installed Cisco ASA 5520 connected with Cisco router DIA. All ACLs, Inside/outside and global NATING on ASA

I created 3 VLANs, VLAN1, VLAN20, VLAN30.  all vlan going to DIA internet Connection.

Onl VLAN 1 all Servers Connected while VLAN10, VLAN20 for users, They are Browsing, access VLAN1/Servers.

But Now I added new DSL connection. I want VLAN10 and VLAN20 People will talk to DSL internet Connection not DIA Internet 

Kindly help me how it be possible.  Cisco WAN Switch which  connected is 3750. 

I want VLAN10, VLAN20 people to talk with VLAN1 and for Internet DSL not DIA while VLAN1 talk to DIA internet. 

Regards,

Labels:
0 Helpful
7 Replies 7

Borgenstrand
Level 1
Level 1

‎05-19-2016 11:18 AM

Hi,

as far as I am aware, the ASA5520 cannot handle PBR, and because it does NAT, you have no way of knowing who is who unless you have one NAT group for VLAN10 and VLAN20 and one NAT group for VLAN 1, if that is true you could implement PBR on the Multilayer switch(This depends on the image, you need Ipservices feature set for that) and if that is true you could decide that VLAN10&20 goes over DSL and VLAN1 goes over DIA.

0 Helpful

Imran Irshad
Level 1
Level 1
In response to Borgenstrand

‎05-20-2016 08:54 AM

Thanks Borgenstrand for reply, you are correct actually i used same as u mention so i think i should go for PBR. could you please clear me in NATING and PBR & let me know about PBR config. 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Imran Irshad

‎05-21-2016 01:50 AM

Hi Imran,

The requirement  of segregating traffic based on source or destination IP addresses can be be achieved using PBR.

ASA 5500-x running 9.4.1 and above support PBR. ASA 5520 does not have support for PBR as newer image requires newer hardware.

Hope it helps.

RS

Rate if it helps.

0 Helpful

Imran Irshad
Level 1
Level 1
In response to Rishabh Seth

‎05-21-2016 01:55 AM

Thanks Rishbah,

Could you please help me on it if i will perform PBR on Cisco Switch ?

Because i have C3750x switch with PBR between ASA and Router. 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Imran Irshad

‎05-21-2016 02:18 AM

Hi imran,

If you are using firewall for address translation then you need a mechanism to identify traffic on switch to perform PBR based on translated address. 

If translated ip for all internal vlans then you will not be able differentiate the traffic on switch. 

You can plan your network in such a way that you have different ip address for different vlans and then decide egress ISP based on your network.

Thanks 

RS

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Imran Irshad

‎05-22-2016 12:24 AM

Optionally, you could configure the ASA in multiple context mode then have one context go to DIA and the other go to the DSL connection.  But this would require a complete re-design of you network and might not be worth it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Imran Irshad
Level 1
Level 1
In response to Marius Gunnerud

‎05-22-2016 01:24 AM

Hi Marius, 

Thanks for reply. actually i am using ASA (5520/Version 8.2) in Routed mode because  i have VPN and Sub-inf and VLANS, 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card