Solved: Re: SDWAN and ASA Routing Question/Issue

PJ123 · ‎03-24-2024

Hello,

We have to drop a new ASA behind an SDWAN box and I wanted to confirm a route that's giving me a hard time. There are 2 ISP connections to the SDWAN Device which is itself connected to the ASA Outside interface (let's say 6.6.6.6) with the Inside interface (let's say 192.168.1.1) going to the LAN Switch. I need all Internet traffic to flow out of ISP1 Onsite (let's say 1.1.1.1) and Private Traffic over the old MPLS/ISP2 (let's say 2.2.2.2) which is also providing DHCP and such, across the circuit to another site.

Will setting the default outside route to 0 0 1.1.1.1 1 and a route outside 0 0 2.2.2.2 2 in the ASA achieve this? Also, will I need to use PBR as well? I believe I need a Static Route inside from 6.6.6.6 to 192.168.1.0 as well...

If anyone could reply with the specific ASA Config for each necessary command, or an example of this, I would greatly appreciate it!

Thank You,

PJ

rais · ‎03-27-2024

If the SDWAN device is managed, all required policies should be communicated to the vendor. SDWAN will use both ISPs for private traffic and can use any/both of the ISPs for public traffic.

For ASA, there is not much to be done about routing other than defaulting to the SDWAN device.

Thanks.

View solution in original post

PJ123 · ‎03-25-2024

UPDATE - Still need a solution for the above scenario

MHM Cisco World · ‎03-25-2024

Sdwan connect to ISP or the ASA ?

Can you draw topolgy

MHM

PJ123 · ‎03-26-2024

Thanks for the reply, and I do need to do this still so that the Onsite Internet Routes through the ASA (if I have the routing done on the SDWAN Device.....it won't be Firewalled.

So the SDWAN is connected to the onsite ISP so I do need to route inside traffic out to the SDWAN over the outside ASA interface and then out to the local ISP connection from that. Topology is:

SDWAN with ISP1 (onsite) and ISP2 Connected ---> ASA ---> Switch ---> LAN

Hope that is enough for you, appreciate the help!!!

Thanks!

rais · ‎03-26-2024

On SDWAN device, a default out ISP1 and private-space out ISP2 should do it.

On FW, a 0/0 out SDWAN device.

HTH.

PJ123 · ‎03-26-2024

Thanks rais!

So, I think I'm overthinking this as I'm used to both ISP's being connected to the ASA (new to SDWAN obviously).

I don't have access to the SDWAN device (but I can verify the default "out" with them). So, as far as the ASA is concerned:

If I have the ASA Outside Interface connected directly to the SDWAN Device (66.x.x.x), and the Onsite ISP that I need as Default connected to the SDWAN Device on 41.x.x.x, will a Default Static Route Out to 41.x.x.x on the ASA do the trick?

Thanks Again, Very Much Appreciated!

rais · ‎03-27-2024

If the SDWAN device is managed, all required policies should be communicated to the vendor. SDWAN will use both ISPs for private traffic and can use any/both of the ISPs for public traffic.

For ASA, there is not much to be done about routing other than defaulting to the SDWAN device.

Thanks.

PJ123 · ‎03-27-2024

I agree and have said this from the very beginning so thank you very much! I believe I was def given the incorrect information regarding this; there is nothing that I have come up with that makes any real sense to do it any other way...

Thanks Again rais!