cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
3
Replies

How to use a router to create policy based routing

tvavra
Level 1
Level 1

I have an ASA 5505 at each of three locations.  We have VPN tunnels set up between the three sites.  I am currently using a single ISP to control the traffic between the sites.  I am adding a new ISP to the mix.  The goal is to have any internet traffic routed to ISP 2 and all internal traffic routed to ISP 1.

The ASA does not do policy based routing (mostly because it is a firewall, not a router).  I need to configure a router that will accept the output of the ASA and route it according to the above rule.  All incoming routing will be done through ISP 1.  Can someone make a suggestion on the device and the methodology to set it up?  I am planning on doing this in each location.  If there are any changes that need to be done to the ASA configuration, please let me know.

3 Replies 3

lal.antony
Level 1
Level 1

Hi Tim,

If you can provide me with a network diagram including how the VPN traffic is tunneled through the two ISPs that can help to answer you questions properly.

Meantime, Yes any router can do PBR. it is a feature of the IP Base image (default lowest IOS license), so give you can source routers that have two routed ports for the WAN side you are good to go.

Below is a link to feature navigator, so when you select your router platform (2900 etc) you can make sure your IOS include the feature.

http://tools.cisco.com/ITDIT/CFN/Dispatch

Hope this helps.

Cheers

Lal Antony

www.lalantony.com

I am attaching a rough diagram of my network.  I currently use my ASAs as gateways to the internet.  I have T1s attached at 2 sites and a bonded T1 at our home office.  I have a fourth ASA which connects only to the home office and not the other two locations.  This VPN tunnel is set up to get phones (VOIP) and data to a local manufacturing site.  I am currently using Comcast as the ISP at that location.

With the other three, all have tunnels set up to each other.  What I want to accomplish is to have the router take the signal from the ASA and based on it's destination, route it either to the AT&T ISP or the Comcast ISP.  In a couple of months, we will be implementing a SAAS ERP system and I will need to route all that traffic through the AT&T lines.  That is why I want to put in the router to give me more flexibility when it comes to determining the route.  Also, I am not sure if the router will be able to ping the ISP and if it is not functional, route the traffic to the available ISP.  But I am getting ahead of myself.  The main location where the server is right now, has a bonded T1.  On the other two locations, we have a single T1.  In all cases the T1 comes into a Cisco router that splits the signal to voice and data.  The voice goes to our phone system and the data goes to the ASA.  After the ASA there is a switch for the network and then the nodes.  We are pretty basic.  If I can get over this hurdle, I think I will have a system that will last me for at least another two or three years which is the lease on the SAAS system.

Thanks for you help, let me know if you need any other information.

Hi Tim,

From the looks of thing you want to setup, I recon having the router in front of the ASA is the best way. But for that setup to work you need to move the IPSec Site-to-Site VPN setup to routers and use the ASAs to do firewalling.

On each site routers you can easily put PBR to identify and push the traffic as required by your design. Also make sure you do the NAT at the correct point for the traffic. I would recommend doing this at the routers with correct ACLs setup for identified traffic.

Below link shows you the models available, I recon 2911 will do the trick for you with IP Base image (if you require other advance feature please select the correct image IP Base will give you PBR). 2911 have 3 Gigabit interfaces, so two WAN connections and one inside connection into the ASA.

http://www.cisco.com/en/US/products/ps10538/prod_series_comparison.html

Hope this helps, if you have any specific questions please let me know.

Thanks

Cheers

Lal Antony

www.lalantony.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: