04-13-2011 02:46 AM - edited 03-04-2019 12:03 PM
Dear friends please help .. i have got an ASA 5510 (this is routing question thats why its in this category no in security) on which my inside in Lan and outside is ADSL - WAN 1 , and IPVPN-WAN2, now we want our few users to use internet through ADSL and rest go through WAN2 i.e IPVPN, remeber all the inside users are same network. how can this be done. connectivity is like following
Inside users ==> ASA ==> ADSL
==> IPVPN
both have internet access with publicn ips on ipvpn
Please help
JAtin
Mercy
Solved! Go to Solution.
04-14-2011 12:28 AM
Hi
I have created some lines for you to understand the same. for more info please refer the below url.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
access-list for internal users
ip access-list extended pbr
permit ip 192.168.1.0 0.0.0.255 any
(you can have single host entry too)
policy based routing for internal users
route-map pbr permit 10
match ip address pbr
set interface f0/1 (interface connected to adsl modem)
---or---
set ip next-hop adsl-gateway-ip-address
applying to inside interface
int f0/0
**interface connected to asa **
ip policy route-map pbr
NAT Config for internal users or subnet or hosts
ip nat inside source list pbr interface f0/1 overload
int f0/1
ip nat outside
## ADSL Interface ##
int f0/0
ip nat inside
## ASA interace ##
Add route in router to reach your internal network towards ASA
ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress
finally allow external traffic to flow inside via ASA outside interfface with access-list.
HTH
Rama
04-13-2011 05:13 AM
Hi,
You can have 2 diffrent nat id for local users and binding each one to ADSL and IPVPN interface with global statements , ulitimately ASA will look for default route to route the packets. ASA will not do load balance on mulitple ISPs. if you have router you can enable policy based routing to push the traffic on diffrent ISPs based on your requirements.
HTH
Rama
04-13-2011 05:19 AM
thanks for the reply let mi tell u the topology
ISP ==> ADSL Modem ==> ASA (Outside) ==> Inside Network
ISP ==> 2811 (IPVPN) ==> ASA (VPN Interface) ==> Inside Network
we want 80% of the random IPs (users) hould use adsl for going out reast use IPVPN for going out. please give some idea
04-13-2011 05:30 AM
Hi,
You will be able to achive this by terminating ADSL line on to 2811 router ( provided you should have aditional Ethernet Interface card on it Example 4esw or Routed Interface). if your IPVPN is via serial line then you can use inbuilt router port to connect ADSL line.
HTH
Rama
04-13-2011 10:26 PM
Can you please explain a bit extra.. becoz if i terminate my adsl on router still it will pass through ASA becoz every user can go out via ASA only so again there will be case of routing.. please explain...
04-13-2011 11:11 PM
Hi
Your topology will look like similar to below
|============>ADSL======
Internal =====ASA=====(Cisco2811)
|============> IPVPN=====
I assume that for ADSL connection you are getting IP address via DHCP. Configure one default gateway in ASA towards cisco router ( you can have /30 or /29 ip address between ASA and Router) . if you have got public ip address from IPVPN provider force desired internal users get nated to that ip in ASA , and remaining users allow them directly go to router and there you do nat to ADSL interface ( you need to use policy based routing with nat to push users on ADSL links).
HTH
Rama.
04-13-2011 11:46 PM
Thanks rama .. too good.... really... a last bit of help if possible can you please give mi some idea on PBR i never used it .. or any docs which can give mi an idea .. thanks for helping me...
Mercy
Jatin
04-14-2011 12:28 AM
Hi
I have created some lines for you to understand the same. for more info please refer the below url.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
access-list for internal users
ip access-list extended pbr
permit ip 192.168.1.0 0.0.0.255 any
(you can have single host entry too)
policy based routing for internal users
route-map pbr permit 10
match ip address pbr
set interface f0/1 (interface connected to adsl modem)
---or---
set ip next-hop adsl-gateway-ip-address
applying to inside interface
int f0/0
**interface connected to asa **
ip policy route-map pbr
NAT Config for internal users or subnet or hosts
ip nat inside source list pbr interface f0/1 overload
int f0/1
ip nat outside
## ADSL Interface ##
int f0/0
ip nat inside
## ASA interace ##
Add route in router to reach your internal network towards ASA
ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress
finally allow external traffic to flow inside via ASA outside interfface with access-list.
HTH
Rama
04-15-2011 01:09 AM
a quick question... how we can give two routes in router to send all the traffic to adsl and some traffic on IPVPN and didnt understool ur following line ...
Add route in router to reach your internal network towards ASA
ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress
please help. what is a NAT id ...?
04-15-2011 10:00 PM
Hi,
You will have one default route pointing towards IPVPN and policy based routing for ADSL link
Add route in router to reach your internal network towards ASA
ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress
you will be doing nat for internal ip address over ADSL line for that your router should know how to reach them.
nat id - http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
HTH
Rama
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide