12-19-2020 01:55 PM
Hello All,
I recently moved to a more rural area and have to utilize LTE cellular as my primary internet connection. I have 2 accounts with 1 being in my Cisco C819G LTE router and the other is a Netcomm IFWA-40 that I also use for voice service. I also recently added 2 GL.inet GL-MV1000 VPN routers to my setup to keep my LTE connection from being throttled.
My current setup looks something like Cisco 2980G Switch -> Cisco 3650 Switch -> Cisco ASA 5506-X -> GL-MV1000 Router -> Cisco C819G Router -> Internet. I have 7 VLANS configured on the switches for various devices.
The Netcomm IFWA-40 currently operates as a standalone device and network, but I'd like to hook it to one of the extra interfaces on the ASA.
My question is, is it possible to split my VLAN traffic going out to the Internet over both of these connections if both routers are connected to the ASA?
Essentially I want to do manual load balancing and I don't care about redundancy.
My ultimate goal would be to route VLANS 20 and 50 over the Netcomm IFWA-40 then have everything else route over the Cisco C819G router, but I'm not sure how to edit my current config to make that happen or if its even possible.
My current config is attached. DMZ1 and 2 can be ignored, I was experimenting with them a while back and just never took them out of the configuration.
Solved! Go to Solution.
12-21-2020 12:42 AM
Hello,
I just lab tested this setup, and the below config works, give it a try. When you configure the extended access list, ignore the warning message, you are not using any routing protocols, just static routing.
access-list VLAN_20 extended permit ip 10.20.1.0 255.255.255.0 any
access-list VLAN_50 extended permit ip 10.50.1.0 255.255.255.0 any
!
route-map ISP_RM permit 10
match ip address VLAN_20 VLAN_50
set ip next-hop y.y.y.y
!
interface GigabitEthernet1/2
policy-route route-map ISP_RM
!
nat (inside,outside) 1 source dynamic any interface
nat (inside,outside2) 2 source dynamic any interface
!
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route outside2 0.0.0.0 0.0.0.0 y.y.y.y 10
12-19-2020 03:57 PM
use PBR to make specific traffic take one path and other take other path.
12-19-2020 05:00 PM
Hello,
not sure I fully understand your current configuration, as their is no 'route outside' at all ? Either way, you (obviously) need another outside interface, and then the configuration below should work:
access-list VLAN_20 permit 10.20.1.0 255.255.255.0
access-list VLAN_50 permit 10.50.1.0 255.255.255.0
!
route-map ISP_RM permit 10
match ip address VLAN_20 VLAN_50
set interface outside
!
route-map ISP_RM permit 20
set interface outside2
!
interface GigabitEthernet1/2
policy-route route-map ISP_RM
!
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route outside2 0.0.0.0 0.0.0.0 y.y.y.y
12-19-2020 05:24 PM
Hi Georg,
Thanks for your reply, that is correct. Some how I deleted the outside route when I was sanitizing it, so good observation.
The only outside route I have currently is "route outside 0.0.0.0 0.0.0.0 10.0.0.1 1" which is normally just above the inside routes.
So for your configuration changes, I just need to add that information and the additional outside route, I don't need to change anything else existing in the configuration?
12-19-2020 05:31 PM
need NAT from inside to new outside2
12-19-2020 06:16 PM - edited 12-19-2020 06:17 PM
Yes I thought it needed another NAT statement. So I was able to add most of the commands Georg suggested above plus the NAT statement, but I'm getting an error when trying to add a new route for outside2. Regardless of which IP address I try to use.
These are the existing routes.
12-19-2020 06:31 PM
Try and add the route like this:
route outside2 0.0.0.0 0.0.0.0 192.168.1.1 10
12-19-2020 06:32 PM
only one default route with same AD can add
change the AD
route ............. 2<-this add and check
12-19-2020 08:20 PM
Well 10 or 2 works, but when I switch over to VLAN 20 or 50, it is still showing the same public IP as the other VLANs, so I don't think it is working. They should be different public IPs if it is routing 20 and 50 to outside2. Any ideas?
Latest config with changes above is attached.
12-19-2020 08:34 PM - edited 12-19-2020 09:17 PM
First clear xlate and conn table
second try connect from these vlan again
12-20-2020 07:46 AM
Well it still seems to be operating in a fail-over setup, which is not what I wanted it to do.
I tried clearing the xlate, connections along with my cache and flushing my DNS this morning, but nothing made a difference, it still showed connection 1/1 being used.
When I went to my ASA and unplugged connection 1 (gigabit1/1), after 3-4 minutes it finally switched over to ISP2 (gigabit1/2) and was showing that public IP address when I go to what is my ip? As soon as I plugged gigabit1/1 back in it switched back over to that connection.
I don't really understand that since as far as I know I don't have anything in my configuration that is tracking the health of the connections, unless the ASA automatically does that.
12-20-2020 09:14 AM
Hello,
you have applied the route map to the outside interface, it needs to be applied to the inside:
interface GigabitEthernet1/2
description "WAN Connection to IFWA-40"
nameif outside2
security-level 0
ip address 10.1.1.2 255.255.255.0
--> no policy-route route-map ISP2
!
interface GigabitEthernet1/3
description "LAN Connection to Cisco 3650 Switch"
nameif inside
security-level 100
ip address 10.5.1.2 255.255.255.0
--> policy-route route-map ISP2
12-20-2020 09:18 AM
12-20-2020 09:20 AM
friend clear late and conn before test again
12-20-2020 09:56 AM
Hmmm well it seems I can't win, now it is doing the opposite, it routing everything over gigabit1/2 (ISP2). I've been testing with VLAN10, 20 and 50 with a different web browser to find the public IP, so its defiantly not a caching issue or anything.
I also couldn't get the ASA to accept an extended ACL for that route-map policy, it gets an error.
The only other access-list in there is an extended ACL for the firepower module.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide