Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2291
Views
0
Helpful
5
Replies

How to Configure Cisco ASA 5512 for multiple public IP interfaces

gskar1129
Level 1
Level 1

‎07-30-2014 11:04 AM - edited ‎03-04-2019 11:27 PM

Hi

I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.

 

Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)

I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.

 

Outside Networks (I've changed the IPs for security purposes)

Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222

Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222

Inside1 : E 0/1 192.168.255.1 255.255.248.0

Inside2 : E 0/3 172.16.255.1 255.255.248.0

My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.

I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   

 

I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   

 

Thanks in advance for the suggestions/help

  

 

Labels:
0 Helpful
5 Replies 5

Walter Astori
Level 1
Level 1

‎07-31-2014 08:37 AM

interface Ethernet0/0.1239
 vlan 1239
 nameif OUTSIDE
 security-level 0
 ip address 74.55.55.210 255.255.255.240
!
interface Ethernet0/0.1240
 vlan 1240
 nameif OUTSIDE-BACKUP
 security-level 0
 ip address 50.241.134.220 255.255.255.248
!
interface Ethernet0/1.1

 vlan 1
 nameif INSIDE
 security-level 100
 ip address 192.168.255.1 255.255.248.0
 

interface Ethernet0/1.2

 vlan 2
 nameif INSIDE-BACKUP
 security-level 100
 ip address 172.16.255.1 255.255.248.0
 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Walter Astori

‎07-31-2014 12:46 PM

This shows how to get the address of each ISP onto an interface. But how do you suggest that the original poster achieve his goal of having vlan1 use ISP1 and vlan2 use ISP2? That is the tricky part of trying to have 2 ISPs. It is easier to have a primary outbound path and a backup path. But to have some traffic go to one while other traffic goes to the other is difficult on the ASA.

 

HTH

 

Rick

HTH

Rick
0 Helpful

gskar1129
Level 1
Level 1
In response to Richard Burts

‎07-31-2014 01:47 PM

Thanks guys for the reponses.   Richard you are correct,  I can create four interfaces and have done so similar to what Walter posted.  However, if  I want Inside2 to only use Outside2 and Inside 1 to only use Outside 1, that seems to be difficult out of the box.  If there is a way, I would love to know!     I know I am probably using the ASA for something it shouldn't be used for but it seems like it shouldn't be that big of a deal.

 

 

0 Helpful

Walter Astori
Level 1
Level 1
In response to gskar1129

‎07-31-2014 11:58 PM

if you want that traffic on vlan1 use ISP1 and traffic on vlan2 use ISP2 you must use Policy-Routing as this :

access-list ACL-Ospf-From-Idc-To-ISP1 extendend permit ip 74.55.55.210 255.255.255.240 any
access-list ACL-Ospf-From-Idc-To-ISP2 extended permit ip 50.241.134.220 255.255.255.248 any
!
route-map Ospf-Filtro-From-Idc-To-ISP1 permit 10
 match ip address ACL-Ospf-Filtro-From-Idc-To-ISP1
!
route-map Ospf-Filtro-From-Idc-To-ISP2 permit 10
 match ip address ACL-Ospf-Filtro-From-Idc-To-ISP2
!
router ospf 1
 router-id IDCCISCOISP1
 network 74.55.55.210 255.255.255.240 area 0
 area 0 authentication message-digest
 distribute-list route-map Ospf-Filtro-From-Idc-To-ISP1
!
router ospf 2
 router-id IDCCISCOISP2
 network 50.241.134.220 255.255.255.248 area 0
 area 0 authentication message-digest
 distribute-list route-map Ospf-Filtro-From-Idc-To-ISP2
!
 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Walter Astori

‎08-07-2014 06:43 PM

I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.

 

I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>

 

To the original poster

 

It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents