Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
8
Replies

ASA Behind Dual ISP Router

teymur azimov
Level 1
Level 1

‎06-14-2011 04:06 AM - edited ‎03-04-2019 12:42 PM

Hi. My application is that:

Two different ISP connect to router. 1 ISP ip :85.132.21.71 and second one is ISP 2: 81.34.21.34

the router is connect to asa. Asa outside ip is 10.0.0.2 is connect to router gi0/1 interface(this ip address is 10.0.0.1).

my inside lan is 192.168.10.1/24 and 172.30.30.1/24 config at asa.

i want inside lan 192.168.10.0 is nat to 85.132.21.71 and 172.30.30.0 is nat to 81.34.21.34. i do not need ISP redundancy.

how i do this config?please help me.

Labels:
0 Helpful
8 Replies 8

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎06-14-2011 04:28 AM

Hi,

   You can use policy based routing on the router to classify traffic sent out each ISP.  Is PBR supported on the router?

HTH,

Toshi

0 Helpful

teymur azimov
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎06-14-2011 05:19 AM

Thank you very much.

I do not know exatly how to configurate router and asa.

i want to config nat at asa and PBR config at router, but how i can do this configuration.

thanks

0 Helpful

teymur azimov
Level 1
Level 1

‎06-15-2011 11:20 PM

Hi. My application is that:

Two different ISP connect to router. 1 ISP ip :85.x.x.x and second one is ISP 2: 81.x.x.x

i want inside lan 192.168.10.0 is nat to 85.x.x.x and 192.168.100.0 is nat to 81.x.x.x. I wish load balance ISP.

i do not need ISP redundancy.

Please check my config and say your recommendation.

thanks

Router Configuration.

interface GigabitEthernet0/0.105

connected to ISP1

encapsulation dot1Q 105

ip address 85.x.x.106 255.x.x.x

interface GigabitEthernet0/0.233

connected to ISP2

encapsulation dot1Q 233

ip address 81.x.x.234 255.x.x.x

interface GigabitEthernet0/1

description connected to ASA
ip address 10.0.0.1 255.255.255.0
ip policy route-map EXCH
speed auto

access-list 101 permit ip 85.x.x.0 0.0.0.255 any             is this one public ip or inside ip address?
access-list 102 permit ip 81.x.x.0 0.0.0.255 any

route-map EXCH permit 10
match ip address 101
set ip next-hop verify-availability 85.x.x.105


route-map EXCH permit 20
match ip address 102
set ip next-hop verify-availability 81.x.x.234

ip route 0.0.0.0 0.0.0.0 85.x.x.105
ip route 0.0.0.0 0.0.0.0 81.x.x.234

ip route 0.0.0.0 0.0.0.0 10.0.0.2    can I write this one???

ASA Configuration.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

interface Ethernet0/1.10

nameif inside

security-level 100

ip address 192.168.10.0 255.255.255.0

interface Ethernet0/1.100

nameif inside2

security-level 80

ip address 192.168.100.0 255.255.255.0

global(outside) 1 85.x.x.108

global (outside) 2 81.x.x.236

nat(inside) 1 192.168.10.0 255.255.255.0

nat(inside2) 2 192.168.100.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.0.0.1

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to teymur azimov

‎06-16-2011 01:42 AM

Hi,

    The concept behind this is as follows:

1. You don't need to do NAT on ASA.  You need to do NAT on the router.

2. You need PBR to send traffic to each ISP you want.

f.e.

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip 192.168.100.0 0.0.0.255 any

route-map Classify permit 10

march ip address 101

set ip next-hop 85.x.x.105

route-map Classify permit 20

march ip address 102

set ip next-hop 81.x.x.234

!

interface GigabitEthernet0/1

ip policy route-map Classify

!

3. You need to follow the document below to get rid of NAT problem.

Ref: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

Additional:

Router(conf)#no ip route 0.0.0.0 0.0.0.0 10.0.0.2

Router(conf)#ip route 192.168.10.0 255.255.255.0 10.0.0.2

Router(conf)#ip route 192.168.100.0 255.255.255.0 10.0.0.2

HTH,

Toshi

0 Helpful

teymur azimov
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎06-16-2011 03:14 AM

Thank you ver much.

i want to sure that is rigth configuration

interface GigabitEthernet0/0.105

connected to ISP1

encapsulation dot1Q 105

ip address 85.x.x.106 255.x.x.x

ip nat outside

interface GigabitEthernet0/0.233

connected to ISP2

encapsulation dot1Q 233

ip address 81.x.x.234 255.x.x.x

ip nat outside

interface GigabitEthernet0/1

ip nat inside                           ----can i write this one?

ip policy route-map Classify

route-map Classify permit 10

march ip address 101

set ip next-hop 85.x.x.105

match interface GigabitEthernet0/0.105  --- can i add this command?

route-map Classify permit 20

march ip address 102

set ip next-hop 81.x.x.234

match interface  GigabitEthernet0/0.233  --- can i add also this one?

ip nat inside source route-map isp1 interface GigabitEthernet0/0.105 overload

ip nat inside source route-map isp2 interface GigabitEthernet0/0.233 overload i

thanks.

0 Helpful

teymur azimov
Level 1
Level 1
In response to teymur azimov

‎06-16-2011 03:40 AM

if i used the same name route-map how i apply this same route-map at nat???

ip nat inside source route-map isp1 interface GigabitEthernet0/0.105 overload

ip nat inside source route-map isp2 interface GigabitEthernet0/0.233 overload

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to teymur azimov

‎06-17-2011 02:44 AM

Hi,

  Just follow the document I provided. You should create a new route-map for NAT.

HTH,

Toshi

0 Helpful

teymur azimov
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎06-23-2011 02:27 AM

Hi Thotsaphon. i did configuration as you said me. I want to make both the links as back up of each other.In case of one of the link goes my all the traffic will use the other link. how i do that at this configuration?(HSRP config between two router and track outside interface).thanks

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/0.105

description connected to ISP1

encapsulation dot1Q 105

ip address 85.x.x.108 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.233

description connected to ISP2

encapsulation dot1Q 233

ip address 81.x.x.234 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/1

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map Classify

duplex auto

speed auto

standby 1 ip 10.0.0.3

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 20

!

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source route-map ISP1 interface GigabitEthernet0/0.105 overload

ip nat inside source route-map ISP2 interface GigabitEthernet0/0.233 overload

ip route 0.0.0.0 0.0.0.0 85.x.x.110

ip route 0.0.0.0 0.0.0.0 81.x.x.233

ip route 192.168.10.0 255.255.255.0 10.0.0.2

ip route 192.168.100.0 255.255.255.0 10.0.0.2

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip 192.168.100.0 0.0.0.255 any

!

!

!

!

route-map Classify permit 10

match ip address 101

set ip next-hop 85.x.x.110

!

route-map Classify permit 20

match ip address 102

set ip next-hop 81.x.x.233

!

route-map ISP2 permit 20

match ip address 102

match interface GigabitEthernet0/0.233

!

route-map ISP1 permit 10

match ip address 101

match interface GigabitEthernet0/0.105

0 Helpful
Customers Also Viewed These Support Documents