Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
5
Helpful
10
Replies

Cisco ASA routing issue

Go to solution
TECH-JEFF
Level 1
Level 1

‎02-01-2016 07:45 PM - edited ‎03-05-2019 03:14 AM

Hi, Not sure if I'm on the correct path but I've been using other firewalls and this is the first time I've used Cisco ASA. This is my setup:

Gi0/2 is our second ISP as backup

I added a route using a test pc with a static IP, added that machine as destination with subnet mask of 255.255.255.255 and the source is the backup ISP. with a metric of 1. Correct me if I'm wrong but with a metric of "1" is the priority, right?

Then came another route with 0.0.0.0 0.0.0.0 going to another ISP but with a metric of 5(will this be in effect with my test pc?).

So regardless having 2 routes, the test pc since has a static route going to backup ISP, it should not go to the main ISP, right?

After tthis, created a access rule saying source is test pc going to backup ISP then permit.

But for some reason, the test pc always passes thru the main ISP instead of the backup.

Am I missing something here?

Thanks

Jeff

Jefferson Co
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AllertGen
Level 3
Level 3

‎02-03-2016 05:03 AM

Hello, Jeff.

Am I right that you used a static route like this?

route [ISP_main_if_name] [PC_IP] 255.255.255.255 [ISP1_gateway_ip] 1

route [ISP_backup_if_name] 0.0.0.0 0.0.0.0 [ISP2_gateway_ip] 5

And answer is "yes" about metrics. It determinates a priority of the route.

At this case your first line will work while interface g0/2 is up (route exist until gateway IP address is reacheble). And first line will be allways work while your g0/2 interface is up (no matter is there ACL or not). ACL only shows should ASA drop this packet or not. At your case ACL don't have any influence to the route table.

Also ASA doesnt supports PBR (policy based routing) or route-balancing (two or more routes with the same metric).

But SLA technology works well at the ASA so for your case you can try this example: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

Best Regards.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
AllertGen
Level 3
Level 3

‎02-03-2016 05:03 AM

Hello, Jeff.

Am I right that you used a static route like this?

route [ISP_main_if_name] [PC_IP] 255.255.255.255 [ISP1_gateway_ip] 1

route [ISP_backup_if_name] 0.0.0.0 0.0.0.0 [ISP2_gateway_ip] 5

And answer is "yes" about metrics. It determinates a priority of the route.

At this case your first line will work while interface g0/2 is up (route exist until gateway IP address is reacheble). And first line will be allways work while your g0/2 interface is up (no matter is there ACL or not). ACL only shows should ASA drop this packet or not. At your case ACL don't have any influence to the route table.

Also ASA doesnt supports PBR (policy based routing) or route-balancing (two or more routes with the same metric).

But SLA technology works well at the ASA so for your case you can try this example: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

Best Regards.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to AllertGen

‎02-03-2016 06:54 AM

We do not know what version of code is running on the ASA and so do not know the extent of what functions are available. But in recent versions of ASA code Cisco does now support PBR for ASA beginning in 9.4 code.

HTH

Rick

HTH

Rick

Go to solution
AllertGen
Level 3
Level 3
In response to Richard Burts

‎02-03-2016 07:19 AM

Hi, Richard.

I didn't know about the news that ASA is supports PBR now. Great news. Thank you very much.

Best Regards.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to AllertGen

‎02-03-2016 07:57 AM

Yes it is supported beginning in 9.4. See this link for documentation on configuring PBR on ASA

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
TECH-JEFF
Level 1
Level 1
In response to Richard Burts

‎02-03-2016 10:56 PM

Not sure if I can also inject this, I saw that there is a URL filtering either pointing to a websense server or other Web Filtering server. I also saw a Filter Rules which I can add a HTTP. Is this possible to block webpage for production?

Thanks

Jeff

Jefferson Co
0 Helpful

Go to solution
AllertGen
Level 3
Level 3
In response to TECH-JEFF

‎02-04-2016 04:05 AM

You want to block all HTTP traffic or only URL? Blocking all HTTP traffic for production is more simple (you can just drop packets from specific hosts to specific servers by HTTP port).

If you want to block only specific URLs you need more hard solution where you can determinate URLs by regex. For example you can read this: https://supportforums.cisco.com/document/7201/asa-url-filtering-without-websense-or-n2h2smartfilter-server

Best Regards.

0 Helpful

Go to solution
TECH-JEFF
Level 1
Level 1
In response to AllertGen

‎02-04-2016 06:35 PM

Not all HTTP traffic but just specific URL's specifically Youtube since this hogs our bandwidth in the office and maybe some video streaming websites.

Actually I was on that URL yesterday typing in the command with the "Block specific URL's" but when I reached the part where I typed in "paramaters" and typed in the next line "drop-connection log" it says invalid command.

Will try it again this morning and update you guys if I'm successful :)

Thanks

Jefferson

Jefferson Co
0 Helpful

Go to solution
TECH-JEFF
Level 1
Level 1
In response to AllertGen

‎02-04-2016 09:27 PM

tried the commands under "Block specific URL's" and the only command that wasnt able to type in was "drop-connection log"

other than that command everything was successfully typed in, checked in ASDM and it was there. Moved the global policy up and applied settings

The site I tried to block was cisco.com. but unsuccessful.

Thanks

Jeff

Jefferson Co
0 Helpful

Go to solution
AllertGen
Level 3
Level 3
In response to TECH-JEFF

‎02-04-2016 10:27 PM

Hi.

The command will appears only after steps:

1. policy-map

2. entering to parameters by typing this command ("parameters")

3. put the class map (command "class [name]")

4. You should see at the command line "(config-pmap-c)#". And "drop-connection log" will be accesseble.

Best Regards.

0 Helpful

Go to solution
TECH-JEFF
Level 1
Level 1

‎02-03-2016 06:15 PM

Hi AllertGen,

Yes, correct I've set a static route just like what you've mentioned. Actually just to share, the issue has been resolved. I've been tinkering all day thinking that I might have an incorrect routing but what I've found out that there's a incorrect NAT rule. Since I just got this device from the old Net Ad, just in time to discover that a problem with the NAT. All through out it was nat'ing to the incorrect IP or ISP.

Anyway, the impt thing is issue has been resolved and I appreciate all inputs. Thanks as well Richards for sharing that ASA 9.2 already have PBR.

Have a great day ahead guys!

Thanks

Jeff

Jefferson Co
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card