Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

3560 two ISP and ASA

Arthur Rack
Level 1
Level 1

‎08-26-2017 02:05 AM - edited ‎03-08-2019 11:50 AM

Hi, my configuration is like this:

3560.jpg

 

I have two ISPs: Primary and backup.

 

What I want to do: I'm receving default routes 0.0.0.0  from both ISPs. This is working fine on Cisco 3560.

I have made a static route on 3560:

DMZ_IP_ADD DMZ_SUBNET_MASK 10.100.100.2

Hosts from VLANs are able now to ping DMZ servers etc, but they can't ping Internet hosts.
So I have created a PBR mechanism on 3560:

ip access-list extended PBR-ACL
 permit ip 10.10.10.0 0.0.0.255 any

route-map PBR_ACL permit 10
match ip address PBR-ACL
set ip next-hop 10.100.100.2

interface vlan 10
ip policy route-map PBR_ACL

Now host from VLAN 10 can ping both: DMZ and Internet hosts, but now communication between hosts in different VLANs in malfunctioning. Hosts from VLAN 10 can ping other hosts in different VLAN but some of the services: ssh/telnet it is not working properly. I believe that traffic from VLAN 10 is directed to ASA then comes back to 3560 and at the end is delivered to other VLANs. Am I right?


Can someone help me configure this scenario?


P.S. I don't want to use ASA as the endpoint for ISP links.

 

 

 

Labels:
Preview file
34 KB
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎08-26-2017 11:30 AM

The easy part of answering your question is to confirm that yes the PBR you configured is sending all traffic received from vlan 10 to the ASA. That is good if the destination is on DMZ or Internet but not good if the destination is some other vlan connected to 3560.

 

Changing that behavior is pretty straightforward. In the ACL used for PBR begin by denying and traffic originated from vlan 10 and with destination in other vlans and then permit traffic from vlan 10 to any.

 

Beyond that I am not clear what you are trying to accomplish and so am not sure what else to suggest. Your diagram shows Outside connedted to the ASA. What outside is this? How does this outside relate to the connection to both ISP?

 

Can you tell us what you want the ASA to do if it is not terminating the connection to the ISPs?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Arthur Rack
Level 1
Level 1
In response to Richard Burts

‎08-27-2017 02:01 AM - edited ‎08-27-2017 02:02 AM

Thx for your reply.

OMG I'm so stupid...  I will modify ACL.

 

Second thing: what I mean writing this: "P.S. I don't want to use ASA as the endpoint for ISP links." was that I want to terminate physical connection from ISP on 3560 not on ASA. Cloud "outside" near the ASA device, means that ASA makes a NAT. 

 

I think that you helped me with this ACL and now all should work fine.

What I wanted to achive: some part of the network traffic (from and to Internet) must be redirected to ASA for NAT (vlans 10, 20, 192 etc) and security purposes. Now I will create another VLAN for example 100 called noNAT and traffic from this VLAN will be sent directly to ISP without touching it with ASA device.

 

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Arthur Rack

‎08-27-2017 05:45 AM

If you fix the ACL then you should get the behavior that you want that outbound traffic will be redirected to the ASA. To get the behavior that some traffic from the Internet is redirected to the ASA you probably need another PBR applied to the vlan connecting to ISPs which would look for the translated addresses and forward that traffic to ASA.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card