Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
3
Helpful
4
Replies

ASA 5515 Routing of LAN1 to ISP1 and LAN2 to ISP2

John Abbas Jaffery
Level 1
Level 1

‎01-17-2024 03:40 AM

Screenshot 2024-01-17 162613.png

 

Hi,

We have Cisco ASA 5515 installed within our office, I wish to ask is it possible that a route for LAN1 to ISP1 and LAN2 to ISP2 work at the same time as shown in above diagram ? Furthermore, an additional static route for both LAN1 & LAN2 towards ISP3 for traffice of one specific IP (i.e. 10.100.1.103) ?

Thanks & Regards,
John Abbas Jaffery

0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎01-17-2024 05:38 AM

Hello,

you could use policy routing. I have pieced together the (hopefully working) config below (IP addresses of the ISPs and interfaces are arbitrary, use your own):

ASA5515(config)# interface GigabitEthernet0/0
ASA5515(config-if)# no shutdown
ASA5515(config-if)# nameif inside-LAN_1
ASA5515(config-if)# ip address 192.168.0.1 255.255.255.0

ASA5515(config)# interface GigabitEthernet0/1
ASA5515(config-if)# no shutdown
ASA5515(config-if)# nameif inside-LAN_2
ASA5515(config-if)# ip address 10.10.0.1 255.255.255.0

ASA5515(config)# interface GigabitEthernet0/2
ASA5515(config-if)# no shutdown
ASA5515(config-if)# nameif outside-ISP_1
ASA5515(config-if)# ip address 1.1.1.1 255.255.255.0

ASA5515(config)# interface GigabitEthernet0/3
ASA5515(config-if)# no shutdown
ASA5515(config-if)# nameif outside-ISP_2
ASA5515(config-if)# ip address 2.2.2.1 255.255.255.0

ASA5515(config)# interface GigabitEthernet0/4
ASA5515(config-if)# no shutdown
ASA5515(config-if)# nameif outside-ISP_3
ASA5515(config-if)# ip address 10.100.1.1 255.255.255.0

ASA5515(config)# access-list acl-LAN_1 permit ip 192.168.0.0 255.255.255.0
ASA5515(config)# access-list acl-LAN_2 permit ip 10.10.0.0 255.255.255.0
ASA5515(config)# access-list HOST permit ip host 10.100.1.103

ciscoasa(config)# route-map PBR permit 10
ASA5515(config-route-map)# match ip address HOST
ciscoasa(config-route-map)# set ip next-hop 10.100.1.2

ASA5515(config)# route-map PBR permit 20
ASA5515(config-route-map)# match ip address acl-LAN_1
ASA5515(config-route-map)# set ip next-hop 1.1.1.2

ASA5515(config)# route-map PBR permit 30
ASA5515(config-route-map)# match ip address acl-LAN_2
ASA5515(config-route-map)# set ip next-hop 2.2.2.2

ASA5515(config)# interface GigabitEthernet0/2
ASA5515(config-if)# policy-route route-map PBR

ASA5515(config)# interface GigabitEthernet0/3
ASA5515(config-if)# policy-route route-map PBR

ASA5515(config)# interface GigabitEthernet0/4
ASA5515(config-if)# policy-route route-map PBR

John Abbas Jaffery
Level 1
Level 1
In response to Georg Pauwen

‎01-17-2024 08:55 PM

Thanks @Georg Pauwen , that means these two separate routes will work at the same time and nodes in LAN2 can access Servers in LAN1 as well ? 

Is it technically fine that such configuration should be made to ASA 5515, I mean will that work consistently or there are some cons for such configuration for the specific appliance ?

Thanks & Regards

0 Helpful

Georg Pauwen
VIP
VIP
In response to John Abbas Jaffery

‎01-18-2024 01:07 AM

Hello John,

LAN to LAN traffic (LAN 1 to LAN 2 and vice versa) will not be affected. The PBR is only for outbound traffic. PBR is a pretty standard config and applied practice. I am thinking about downsides...one might be that if one of your ISPs fails, traffic might be blackholed. As far as I remember, that can be fixed (meaning that in case of failure of one of the links, the PBR automatically sends out traffic through the other link(s). I'll check the config I sent you...

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎01-18-2024 10:14 AM

Hello John,

I pieced together the configuration below. I tested this in GNS3, but I would recommend testing it again in your live topology before actually implementing it. First of all, I was wrong when I said that PBR does not affect LAN traffic, and you actually have to deny LAN traffic in the access lists that match the corresponding route maps.

I have configured three LAN interfaces and three WAN interfaces. If one interface fails, the traffic goes out the next, and if that one fails, the next. SLA monitors are being used to track the states. The IP addressing for the WAN interfaces is, obviously, arbitrary, as I do not know you real ones.

See if you can figure out how this is supposed to work, and let me know if you have any questions.

interface GigabitEthernet0/0
nameif ISP_1
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif ISP_2
security-level 0
ip address 150.150.150.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif ISP_3
security-level 0
ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet0/3
nameif LAN_1
security-level 100
ip address 192.168.0.1 255.255.255.0
policy-route route-map PBR_ACL_LAN_1
!
interface GigabitEthernet0/4
nameif LAN_2
security-level 100
ip address 10.10.0.1 255.255.255.0
policy-route route-map PBR_ACL_LAN_2
!
interface GigabitEthernet0/5
nameif LAN_3
security-level 100
ip address 10.100.1.1 255.255.255.0
policy-route route-map PBR_ACL_LAN_3_HOST
!
access-list ACL_LAN_1 extended deny ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list ACL_LAN_1 extended deny ip 192.168.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list ACL_LAN_1 extended permit ip 192.168.0.0 255.255.255.0 any
!
access-list ACL_LAN_2 extended deny ip 10.10.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ACL_LAN_2 extended deny ip 10.10.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list ACL_LAN_1 extended permit ip 10.10.0.0 255.255.255.0 any
!
access-list ACL_LAN_3_HOST extended deny ip host 10.100.1.103 192.168.0.0 255.255.255.0
access-list ACL_LAN_3_HOST extended deny ip host 10.100.1.103 10.10.0.0 255.255.255.0
access-list ACL_LAN_3_HOST extended permit ip host 10.100.1.103 any
!
route-map PBR_ACL_LAN_1 permit 10
match ip address ACL_LAN_1
set ip next-hop verify-availability 100.100.100.1 1 track 1
set ip next-hop verify-availability 150.150.150.1 2 track 2
set ip next-hop verify-availability 200.200.200.1 3 track 3
!
route-map PBR_ACL_LAN_2 permit 10
match ip address ACL_LAN_2
set ip next-hop verify-availability 150.150.150.1 1 track 2
set ip next-hop verify-availability 100.100.100.1 2 track 1
set ip next-hop verify-availability 200.200.200.1 3 track 3
!
route-map PBR_ACL_LAN_3_HOST permit 10
match ip address ACL_LAN_3_HOST
set ip next-hop verify-availability 200.200.200.1 1 track 3
set ip next-hop verify-availability 150.150.150.1 2 track 2
set ip next-hop verify-availability 100.100.100.1 3 track 1
!
route ISP_1 0.0.0.0 0.0.0.0 100.100.100 1 track 1
route ISP_2 0.0.0.0 0.0.0.0 150.150.150 2 track 2
route ISP_3 0.0.0.0 0.0.0.0 200.200.200 3 track 3
!
sla monitor 1
type echo protocol ipIcmpEcho 100.100.100.1 interface ISP_1
num packets 3
frequency 10
!
sla monitor schedule 1 life forever start-time now
!
sla monitor 2
type echo protocol ipIcmpEcho 150.150.150.1 interface ISP_2
num packets 3
frequency 10
!
sla monitor schedule 2 life forever start-time now
!
sla monitor 3
type echo protocol ipIcmpEcho 200.200.200.1 interface ISP_3
num packets 3
frequency 10
!
sla monitor schedule 3 life forever start-time now
!
track 1 rtr 1 reachability
track 2 rtr 2 reachability
track 3 rtr 3 reachability

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card