Solved: asa/ 2811 two gateway

JATINDER KUMAR · ‎04-13-2011

Dear friends please help .. i have got an ASA 5510 (this is routing question thats why its in this category no in security) on which my inside in Lan and outside is ADSL - WAN 1 , and IPVPN-WAN2, now we want our few users to use internet through ADSL and rest go through WAN2 i.e IPVPN, remeber all the inside users are same network. how can this be done. connectivity is like following

Inside users ==> ASA ==> ADSL

==> IPVPN

both have internet access with publicn ips on ipvpn

Please help

JAtin

Mercy

RAMACHANDRA R · ‎04-14-2011

Hi

I have created some lines for you to understand the same. for more info please refer the below url.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

access-list for internal users

ip access-list extended pbr
permit ip 192.168.1.0 0.0.0.255 any

(you can have single host entry too)

policy based routing for internal users

route-map pbr permit 10
match ip address pbr
set interface f0/1 (interface connected to adsl modem)

---or---

set ip next-hop adsl-gateway-ip-address

applying to inside interface

int f0/0

**interface connected to asa **

ip policy route-map pbr

NAT Config for internal users or subnet or hosts

ip nat inside source list pbr interface f0/1 overload

int f0/1

ip nat outside

## ADSL Interface ##

int f0/0

ip nat inside

## ASA interace ##

Add route in router to reach your internal network towards ASA

ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress

finally allow external traffic to flow inside via ASA outside interfface with access-list.

HTH

Rama

View solution in original post

RAMACHANDRA R · ‎04-13-2011

Hi,

You can have 2 diffrent nat id for local users and binding each one to ADSL and IPVPN interface with global statements , ulitimately ASA will look for default route to route the packets. ASA will not do load balance on mulitple ISPs. if you have router you can enable policy based routing to push the traffic on diffrent ISPs based on your requirements.

HTH

Rama

JATINDER KUMAR · ‎04-13-2011

thanks for the reply let mi tell u the topology

ISP ==> ADSL Modem ==> ASA (Outside) ==> Inside Network

ISP ==> 2811 (IPVPN) ==> ASA (VPN Interface) ==> Inside Network

we want 80% of the random IPs (users) hould use adsl for going out reast use IPVPN for going out. please give some idea

RAMACHANDRA R · ‎04-13-2011

Hi,

You will be able to achive this by terminating ADSL line on to 2811 router ( provided you should have aditional Ethernet Interface card on it Example 4esw or Routed Interface). if your IPVPN is via serial line then you can use inbuilt router port to connect ADSL line.

HTH

Rama

JATINDER KUMAR · ‎04-13-2011

Can you please explain a bit extra.. becoz if i terminate my adsl on router still it will pass through ASA becoz every user can go out via ASA only so again there will be case of routing.. please explain...

RAMACHANDRA R · ‎04-13-2011

Hi

Your topology will look like similar to below

|============>ADSL======

Internal =====ASA=====(Cisco2811)

|============> IPVPN=====

I assume that for ADSL connection you are getting IP address via DHCP. Configure one default gateway in ASA towards cisco router ( you can have /30 or /29 ip address between ASA and Router) . if you have got public ip address from IPVPN provider force desired internal users get nated to that ip in ASA , and remaining users allow them directly go to router and there you do nat to ADSL interface ( you need to use policy based routing with nat to push users on ADSL links).

HTH

Rama.

JATINDER KUMAR · ‎04-13-2011

Thanks rama .. too good.... really... a last bit of help if possible can you please give mi some idea on PBR i never used it .. or any docs which can give mi an idea .. thanks for helping me...

Mercy

Jatin

RAMACHANDRA R · ‎04-14-2011

Hi

I have created some lines for you to understand the same. for more info please refer the below url.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

access-list for internal users

ip access-list extended pbr
permit ip 192.168.1.0 0.0.0.255 any

(you can have single host entry too)

policy based routing for internal users

route-map pbr permit 10
match ip address pbr
set interface f0/1 (interface connected to adsl modem)

---or---

set ip next-hop adsl-gateway-ip-address

applying to inside interface

int f0/0

**interface connected to asa **

ip policy route-map pbr

NAT Config for internal users or subnet or hosts

ip nat inside source list pbr interface f0/1 overload

int f0/1

ip nat outside

## ADSL Interface ##

int f0/0

ip nat inside

## ASA interace ##

Add route in router to reach your internal network towards ASA

ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress

finally allow external traffic to flow inside via ASA outside interfface with access-list.

HTH

Rama

JATINDER KUMAR · ‎04-15-2011

a quick question... how we can give two routes in router to send all the traffic to adsl and some traffic on IPVPN and didnt understool ur following line ...

Add route in router to reach your internal network towards ASA

ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress

please help. what is a NAT id ...?

RAMACHANDRA R · ‎04-15-2011

Hi,

You will have one default route pointing towards IPVPN and policy based routing for ADSL link

Add route in router to reach your internal network towards ASA

ip route 192.168.1.0 255.255.255.0 asa-external-ipaddress

you will be doing nat for internal ip address over ADSL line for that your router should know how to reach them.

nat id - http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

HTH

Rama