Solved: route-map not working on default gateway vlan

hhorton · ‎09-19-2013

I'll try to keep this simple for my initial question. I am dual homed for my Internet service. I have two ASA firewalls pointed, one each, to the two Internet links. Both these firewall internal interfaces reside on VLAN5. Lets just call them ASA-1 and ASA-2. ASA-1 is associated with my default-gateway route on my network. I'm trying to create load sharing accross the two firewalls/ISP links. I've created a route-map assocaited with a test host on VLAN4.

If I apply my route-map statement to my VLAN4 interface, my test host does indeed flow out ASA-2. My "set statement" simply points the "next-hop" at ASA-2. However, I loose access to other internal services since the client is bypassing any other internal routes.

If I apply the same route-map statement to my VLAN5 interface, a match is never made and my client proceeds to exit ASA-1.

I'm not sure what to think about this. It works on the routed VLAN interface on which the client resides, but not on an up stream routed VLAN interface?

If all this is unclear, I can post a diagram. you know what they say, a pictures worth a 1,000 words.

Kyle McKay · ‎09-19-2013

You are correct.

The policy is examined on traffic coming IN to the interface and not OUT.

View solution in original post

Kyle McKay · ‎09-19-2013

A diagram/picture would definitely help on this one!

Also, If I could see the configuration of your route-map that would be very useful in determining what is happening here.

Is there any NAT going on that would prevent a match from occuring at an upstream device?

hhorton · ‎09-19-2013

forgot to say... No there are no NAT configuratons internally on my network.

I did just have a thought. I think route-map statements need to be applied to "incoming" interfaces. Perhase in this situation, my map won't work on VLAN 5 because it's considered an outbound interface in this flow. Don't know... just a guess.

hhorton · ‎09-19-2013

I'll work on a diagram, but below are the interface and map configurations.

This is the vlan my ASA units are on:

interface Vlan5

ip address 165.199.5.2 255.255.255.0

ip helper-address 165.199.3.22

ip pim sparse-dense-mode

standby 1 ip 165.199.5.1

standby 1 priority 120

standby 1 preempt

ip policy route-map 2TWCDR

ip ospf cost 5

ip ospf priority 254

end

This is the VLAN interface my test host is on:

interface Vlan4
ip address 165.199.4.2 255.255.255.0
ip helper-address 165.199.3.22
ip helper-address 165.199.4.137
ip pim sparse-dense-mode
standby 1 ip 165.199.4.1
standby 1 priority 120
standby 1 preempt
ip ospf cost 4
ip ospf priority 254
end

This is the map statement:

route-map 2TWCDR permit 10
match ip address 1
set ip next-hop 165.199.5.7

The access list:

access-list 1 permit 165.199.4.20

The network default route line:

ip route 0.0.0.0 0.0.0.0 165.199.5.5

5.5 is obviously ASA-1 and 5.7 is ASA-2

Kyle McKay · ‎09-19-2013

You are correct.

The policy is examined on traffic coming IN to the interface and not OUT.

Peter Koltl · ‎09-19-2013

I think route-map statements need to be applied to "incoming" interfaces. Perhase in this situation, my map won't work on VLAN 5 because it's considered an outbound interface in this flow. Don't know... just a guess.

Exactly. You must place the route-map on Vlan4.

access-list 110 permit ip host 165.199.4.20 165.199.0.0 0.0.255.255

route-map 2TWCDR permit 10 match ip address 110

route-map 2TWCDR permit 20 match ip address 1 set ip next-hop 165.199.5.7

Peter Koltl · ‎09-25-2013

Hi, is it solved?