Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5163
Views
10
Helpful
7
Replies

Cisco ASA 5525X and 4948E switches - Dot1Q trunking and multiple default routes

Go to solution
Nicholas Beard
Level 1
Level 1

‎07-01-2012 10:28 AM - edited ‎03-07-2019 07:33 AM

I have the following setup -

2 x Cisco ASA 5525X Series Firewalls

2 x Cisco 4948E Switches

The switch configuration is as follows -

I have approximately 30 customers configured with internal and external VLANs -

Vlan 100

name Customer A In

Int vlan 100

IP Address 10.1.1.251 255.255.255.0

Vlan 101

name Customer B In

Int vlan 101

ip address 10.1.2.251 255.255.255.0

Vlan 200

name Customer A Out

int vlan 200

ip address 30.x.x.x. 255.255.255.248

vlan 201

name Customer B Out

int vlan 201

ip address 30.x.x.x 255.255.255.248

Each switch SVI interface has HSRP configured for HA between switches.  The default gateway for each customer is the virtual HSRP ip address which is 10.1.x.250 255.255.255.0 (where x is the customer subnet).

I then have the Cisco ASA firewalls connected to the switches via trunks as follows (there are obviously more interfaces than the two shown below, but just for simplicity) -

int gi1

switchport mode trunk

switchport trunk native vlan 10

switchport trunk allowed vlan 100,101 etc

description Cisco ASA inside

int gi2

switchport mode trunk

switchport trunk native vlan 10

switchport trunk allowed vlan 200,201 etc

description Cisco ASA outside

The Cisco ASA devices are setup in active/passive failover HA pair and are configured as follows -

int gi1

no nameif

int gi1.100

vlan 100

ip address 10.1.1.254 255.255.255.0

nameif Customer A Inside

int gi1.101

vlan 101

ip address 10.1.2.254 255.255.255.0

nameif Customer B Inside

int gi2

no nameif

int gi2.200

vlan 200

ip address 30.x.x.x 255.255.255.248

nameif Customer A Outside

int gi2.201

vlan 201

ip address 30.x.x.x 255.255.255.248

nameif Customer B Outside

The default gateway for each customer is the virtual HSRP ip address  which is 10.1.x.250 255.255.255.0 (where x is the customer subnet).  Policy based routing is then used to route up to the Cisco ASA Dot1q 'inside' interface for the customer from the switches.  The Cisco ASA will then perform NAT before (this is where the problem comes in) routing back down to the 'external' HSRP ip address of the VLAN on the 4948E switches.  The switches will then route out to the internet.

Now, I am aware that Cisco ASA devices do not support multiple deault routes or PBR.  So I am struggling to understand how I can create a seperate route for each customer to route back down to their specific gateway (external VLAN) on the 4948E switches.  Can anybody shed any light on this, or am I overthinking this?

Thanks

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Pettene
Level 1
Level 1
In response to Nicholas Beard

‎07-01-2012 02:50 PM

49xxs with IP BASE license offer the VRF-lite toolset but you can't do NAT on those boxes, so

you'd still be stuck on ASA multiple contexts... i'm sorry '-)

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Pettene
Level 1
Level 1

‎07-01-2012 02:11 PM

Hi Nick

have you considered creating multiple contexts on the ASAs?

This would allow to virtualise fw's routing tables and nat statements, you could

create for instance a context for every group of customers and some contexts

for your uplinks.

That's an example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#asdf

And keep in mind current limitations about vpns and dynamic routing protocols:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188973

Go to solution
Nicholas Beard
Level 1
Level 1
In response to Francesco Pettene

‎07-01-2012 02:31 PM

Hi Francesco, thanks for the response.

Yes i had previously considered using Multiple Contexts but was hoping to avoid the additonal cost that comes with the extra licences, as by default you only have 2 with the 5525.  I believe there is also a limit of 20 maximum contexts on the 5525 which is another possible problem.  We are also looking to utilise secure site to site VPN and I am aware you lose that functionality with contexts.

In short, I was hoping to utilise DOT1Q and VLANs to perform this as it is by far the most cost effective and functional (possible) solution.  At this point however, I do not know if there is any method I can utilise to route back down to the 'outside' SVI once the NAT has taken place. I think we may be stuck and therefore have to succumb to the requirement for the security contexts.

Thanks

Nick

0 Helpful

Go to solution
Francesco Pettene
Level 1
Level 1
In response to Nicholas Beard

‎07-01-2012 02:50 PM

49xxs with IP BASE license offer the VRF-lite toolset but you can't do NAT on those boxes, so

you'd still be stuck on ASA multiple contexts... i'm sorry '-)

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Nicholas Beard

‎07-01-2012 05:29 PM

Hi,

If you go with a 5540, the number of context goes up to 50, if this number is good enough for you.

The price difference should not be much.

table-1 in this link:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html

HTH

Go to solution
Nicholas Beard
Level 1
Level 1
In response to Reza Sharifi

‎07-02-2012 01:11 AM

Reza,  Thanks for the response unfortunately we have already purchased the Cisco 5525X Series.

I was doing some further thinking on this and believe if I remove the external VLANs from the 4948E switches and terminate the ISP connection into the Cisco ASA instead, all networks then become directly connected to the Cisco ASA.

I can then route traffic up to the ASA from the internal subnets (10.1.1.x, 10.1.2.x etc) and perform NAT on each internal subnet to their specific public subnet on (30.x.x.x/29).  If i then have a public ISP facing interface (60.x.x.x) on the Cisco ASA and perform a default route as follows -

Interface ISP - 0.0.0.0 0.0.0.0 60.x.x.x

This should work because the ASA will receive the internal LAN traffic, NAT the trafffic to the /29 subnet and forward it because this is directly connected route to the next hop upstream (ISP Router).

Can anybody think of a reason this would not work?

Thanks

Nick

0 Helpful

Go to solution
Francesco Pettene
Level 1
Level 1

‎07-02-2012 03:37 PM

if you don't have multiple uplinks, didn't

you overthink the whole issue?

you re just NATting internal subnets (on the

asa) that arent directly connected... am i making

it simpler than it really is? at first you mentioned

PBR but if you have single upstream this is not

what you need. that should work as you have

deescribed in your last post...

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Robert Rowland III
Level 1
Level 1

‎08-06-2012 08:32 AM

Nick,

You can create multiple default routes ... up to 3.  It does not show up well under testing however ...

------------------------------------------------------------------------

Now, I am aware that Cisco ASA devices do not support multiple deault  routes or PBR.  So I am struggling to understand how I can create a  seperate route for each customer to route back down to their specific  gateway (external VLAN) on the 4948E switches.  Can anybody shed any  light on this, or am I overthinking this?

Thanks

Nick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card