I'm in a bit over my head in trying to route WAN and LAN traffic via the correct interfaces. I have two remote offices, one north and one south, connected by a dedicated line between each other and one dedicated line between the north office and our headquarters. So far I have the south plant utilizing the dedicated line(s) but when they surf the internet it's going out the dedicated line and not the internet line. I think I have the static routes setup properly but something is preventing it from working as desired.
Here is a quick breakdown of the setup in the southern plant. ISP into an ASA5510, dedicated line into a 2911 router both connecting to a switch. The ASA is acting as the DHCP server and I believe this is where my problems begin. There is a static route on the ASA that I don't believe needs to be there. It attempts to route WAN traffic to the 2911 but I don't believe it has worked from day one. My thought is that the DHCP Gateway should be pointing to the 2911 and the default static route should then send internet traffic to the ASA and LAN/WAN traffic over the dedicated line. Your thoughts?
I am new to the world of Cisco and routing traffic in a WAN environment so please be gentle in your responses. If you need additional information please just ask and I'm happy to provide it. Thanks in advance for any insight you can provide to a struggling admin!
I think you are right. With an ASA getting traffic to come back out of the same interface requires extra configuration and it may not have been setup properly.
Changing the default-gateway to the router and then having a static pointing to the ASA for any non known traffic would work a lot better. However by default the ASA wants to hand out it's own interface address as the default-gateway. I found this thread which suggests you cna changeit to point to another DG -
an alternative may be to simply configure the 2911 router to be the DHCP server.
Edit - you can of course also just look to configure the ASA properly, but it does depend on your OS version on the ASA. Also i am assuming the router will have all the known routes for the rest of your internal network so it will know when to use the default-route. On the ASA i am assuming a summary route has been added for the rest of your network pointing back out of the same interface with the next as the 2911.
Thanks for the quick reply Jon, here's a quick update. Until I can get the 2911 configured for DHCP the few PC's on this network are statically assigned IP's. I've had my contact there change the default gateway on the PC and this has helped in getting traffic to route out of the proper interface depending on it's destination. Again this is a short term fix.
One issue they are reporting now is that internet speed is slow but it's only one internal hop before hitting the internet, how could this be a possibility? There is a static route on the ASA that was applied by the installer that attempts to forward any WAN traffic to the 2911, I'm going to delete regardless but could that have anything to do with it? Any thoughts are appreciated!
The static route shouldn't have anything to do with it because that route should only be used when the destination is a known destination within your network. However it depends what that static route covers. If it also covers the networks within that site then the return traffic from the internet will be sent to the 2911 and then routed back inside.
Even that should not slow it down that much unless the router is already quite heavily used. The only thing i can think that would slow it down is if the router was overultilised or the interface was experiencing drops etc.
If it is still slow after removing the route then it may be that you do need to send it by default to the firewall but i can't think why you would need to do this
You are correct, the static route was not the issue. I found the problem to be in the DHCP configuration of the ASA, it had a DNS server address that pointed to an address in the North plant. Once I changed the primary DNS entry to that of the ISP the speed increased significantly. Typically I wouldn't have much concern over the DNS address but in this case internet speed is slow and the fewer the hops, the better! Thanks for all of your insight Jon, it is really appreciated!