04-05-2016 03:28 AM - edited 03-08-2019 05:14 AM
Hi,
I have Cisco ASA 5525 and we have 2 lease lines, outside1 and outside2. Outside1 being primary, cater to all traffic, of course.
Problem:
We have a client's dial-up VPN which is not stable on outside1 but when tested works fine with outside2 lease line. I need to divert the traffic for this VPN to go through ISP that is on outside2 interface. Can you please help understanding how can i create policy based routing so that for that VPN's public IP (say 6.6.6.6), traffic originating from inside interface (192.168.x.x/20), should go through outside2 ISP (2.2.2.2). I have checked and ASA 5525 on 9.4 software version has policy-based routing feature.
Would the policy-route be applied on inside interface ?
Solved! Go to Solution.
04-05-2016 05:51 AM
Hi!
access-list acl-1 extended permit ip 192.168.0.0 255.240.0.0 host 6.6.6.6
route-map diff_ISP permit 10
match ip address acl-1
set ip next-hop 2.2.2.2
interface gig0/0
policy-route route-map diff_ISP
Hope it helps, best regards!
JC
04-05-2016 04:29 AM
access-list acl-1 permit ip 192.168.0.0 255.240.0.0
route-map diff_ISP permit 10
match ip address acl-1
set ip next-hop 2.2.2.2
interface gig0/0
policy-route route-map diff_ISP
04-05-2016 05:41 AM
Thank you deshtikypshaq for your reply. However, the configuration you mentioned would divert all traffic from the machines via ISP2, right?
Is there a way to divert the traffic only destined for IP 6.6.6.6 via ISP2?
04-05-2016 05:51 AM
Hi!
access-list acl-1 extended permit ip 192.168.0.0 255.240.0.0 host 6.6.6.6
route-map diff_ISP permit 10
match ip address acl-1
set ip next-hop 2.2.2.2
interface gig0/0
policy-route route-map diff_ISP
Hope it helps, best regards!
JC
04-05-2016 10:00 PM
Thank you JC & deshtikypshaq for your quick replies !!
Just for the sake of curiosity....what if I have 3 ISPs. All traffic goes through default route, but I want traffic for 6.6.6.6 to go through ISP2 and traffic for 7.7.7.7 to go through ISP3. Is it possible?
I have this question because we will have a single inside interface and if i am correct, only one policy-route can be linked to one interface.
04-05-2016 10:15 PM
Just add on more clause to route-map
for example
access-list acl-2 extended permit ip 192.168.0.0 255.240.0.0 host 7.7.7.7
route-map diff_ISP permit 10
match ip address acl-1
set ip next-hop 2.2.2.2
route-map diff_ISP permit 20
match ip address acl-2
set ip next-hop 3.3.3.3
04-06-2016 02:35 AM
Thank you...appreciate it. this helps a lot.
-best
nf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide