11-13-2020 06:32 AM
We recently set up a second ISP connection to help offload some traffic to and increase our bandwidth on the first connection. Our network basically goes like this > ISP> ASA> web filter> Core switch. The second ISP connection is set up the same way with everything going back to the same core switch. I was able to start directing traffic for a specific vlan off to the new Internet connection via route-map, the clients on that network are able to connect to the Internet and we thought things were fine up until staff started to try using some of our internal web services.
When they try to go to one of our hosted services the page loads up blank. When I do a traceroute to various servers that are part of a different VLAN I get a routing loop but if I were to traceroute a random device on a separate VLAN I don't get the routing loop, just on the one VLAN that happens to contain our servers.
My route-map config is pretty simple, maybe too much so:
match ip address Conn2
set ip next-hop *2nd ASA IP*
ACL for the route-map: permit 10.2.0.0 0.0.255.255
Is there something more I need to add to the ACL to prevent a routing loop or what am I doing wrong here? Core is a Cisco 6807XL, ASA's - 5525
Solved! Go to Solution.
11-13-2020 06:55 AM - edited 11-13-2020 06:56 AM
Hello @A_Marquez ,
>>
ACL for the route-map: permit 10.2.0.0 0.0.255.255
Is there something more I need to add to the ACL to prevent a routing loop or what am I doing wrong here? Core is a Cisco 6807XL, ASA's - 5525
You should use an extended ACL that :
denies flows between the subnet and the DMZ servers
allow traffic sourced from 10.2.0.0 0.0..255.255 to any
this way first flows are not processed by PBR and this should fix your issues
Hope to help
Giuseppe
11-13-2020 06:55 AM - edited 11-13-2020 06:56 AM
Hello @A_Marquez ,
>>
ACL for the route-map: permit 10.2.0.0 0.0.255.255
Is there something more I need to add to the ACL to prevent a routing loop or what am I doing wrong here? Core is a Cisco 6807XL, ASA's - 5525
You should use an extended ACL that :
denies flows between the subnet and the DMZ servers
allow traffic sourced from 10.2.0.0 0.0..255.255 to any
this way first flows are not processed by PBR and this should fix your issues
Hope to help
Giuseppe
11-13-2020 09:05 AM
That did it! I had tried it earlier but I had an ACL that was configured on the subnet itself that I think was conflicting with the ACL for the route-map. Thank you for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide