09-19-2013 10:00 AM - edited 03-07-2019 03:34 PM
I'll try to keep this simple for my initial question. I am dual homed for my Internet service. I have two ASA firewalls pointed, one each, to the two Internet links. Both these firewall internal interfaces reside on VLAN5. Lets just call them ASA-1 and ASA-2. ASA-1 is associated with my default-gateway route on my network. I'm trying to create load sharing accross the two firewalls/ISP links. I've created a route-map assocaited with a test host on VLAN4.
If I apply my route-map statement to my VLAN4 interface, my test host does indeed flow out ASA-2. My "set statement" simply points the "next-hop" at ASA-2. However, I loose access to other internal services since the client is bypassing any other internal routes.
If I apply the same route-map statement to my VLAN5 interface, a match is never made and my client proceeds to exit ASA-1.
I'm not sure what to think about this. It works on the routed VLAN interface on which the client resides, but not on an up stream routed VLAN interface?
If all this is unclear, I can post a diagram. you know what they say, a pictures worth a 1,000 words.
Solved! Go to Solution.
09-19-2013 12:07 PM
You are correct.
The policy is examined on traffic coming IN to the interface and not OUT.
09-19-2013 10:11 AM
A diagram/picture would definitely help on this one!
Also, If I could see the configuration of your route-map that would be very useful in determining what is happening here.
Is there any NAT going on that would prevent a match from occuring at an upstream device?
09-19-2013 10:26 AM
forgot to say... No there are no NAT configuratons internally on my network.
I did just have a thought. I think route-map statements need to be applied to "incoming" interfaces. Perhase in this situation, my map won't work on VLAN 5 because it's considered an outbound interface in this flow. Don't know... just a guess.
09-19-2013 10:26 AM
I'll work on a diagram, but below are the interface and map configurations.
This is the vlan my ASA units are on:
interface Vlan5
ip address 165.199.5.2 255.255.255.0
ip helper-address 165.199.3.22
ip pim sparse-dense-mode
standby 1 ip 165.199.5.1
standby 1 priority 120
standby 1 preempt
ip policy route-map 2TWCDR
ip ospf cost 5
ip ospf priority 254
end
This is the VLAN interface my test host is on:
interface Vlan4
ip address 165.199.4.2 255.255.255.0
ip helper-address 165.199.3.22
ip helper-address 165.199.4.137
ip pim sparse-dense-mode
standby 1 ip 165.199.4.1
standby 1 priority 120
standby 1 preempt
ip ospf cost 4
ip ospf priority 254
end
This is the map statement:
route-map 2TWCDR permit 10
match ip address 1
set ip next-hop 165.199.5.7
The access list:
access-list 1 permit 165.199.4.20
The network default route line:
ip route 0.0.0.0 0.0.0.0 165.199.5.5
5.5 is obviously ASA-1 and 5.7 is ASA-2
09-19-2013 12:07 PM
You are correct.
The policy is examined on traffic coming IN to the interface and not OUT.
09-19-2013 12:08 PM
I think route-map statements need to be applied to "incoming" interfaces. Perhase in this situation, my map won't work on VLAN 5 because it's considered an outbound interface in this flow. Don't know... just a guess.
Exactly. You must place the route-map on Vlan4.
access-list 110 permit ip host 165.199.4.20 165.199.0.0 0.0.255.255
route-map 2TWCDR permit 10
match ip address 110
route-map 2TWCDR permit 20
match ip address 1
set ip next-hop 165.199.5.7
09-25-2013 01:55 PM
Hi, is it solved?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide