Add additional gateway tro ASA and route certain devices through it.

Hello All,

I have a client that as multiple sites set up with Internet using ASA 5510 with T1 connection. We want to add a cable connection to the site and specifically to the ASA. We also want specific devices to use the additional cable connection on the ASA through routing and their own static nat mappings. How can I add a second internet gateway on the ASA, route devices, and use Static mappings. Most sites have Layer 3 switches with one site being only Layer 2. Can I separate those devices to a seperate Vlan on the switch and somehow route them through the ASA through the Cable connection. I can I accomplish this on the ASA? Also I want to use the cable internet as a falback in case the primary connection goes down. Any Suggestions?
greenbeanx81Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

billwhartonCommented:
For separate traffic, you can definitely vlan them on the switch and route them into the ASA as long as you have a spare interface on the ASA - this way, your traffic will remain segregated

For multiple ISP's, you basically need a functionality called Internet redundancy from Cisco
http://www.cisco.com/warp/public/110/pix-dual-isp.pdf
0
greenbeanx81Author Commented:
Thank you. My main question is that their is a existing default gateway. How would I route devices over the cable? Add a second gateway somehow?
0
billwhartonCommented:
you cannot really using the same metric. I've known the redundant ISP configuration to be the only method one can use to accomplish what you're trying
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

greenbeanx81Author Commented:
How about using policy routing? Can I do that on the ASA or only a router? Can I make a policy on the ASA to route traffic from a certain subnet out a different interface?
0
greenbeanx81Author Commented:
looks like policy routing is only on routers? :-(

Each location has a T1 connection to the internet using a router with a CSU/DSU wic card. Behind that router is the firewall.Could I connect that cable modem to that router and do policy-routing on that?
0
billwhartonCommented:
lemme look at the latest rev of the asa and get back to you but as far as i know, PBR only aval on routers
0
billwhartonCommented:
I've confirmed this and it's not possible - the only way for you to accomplish this is using the link I sent you earlier and using the dual isp feature of the ASA

The ASA will never do everything a router can and vice versa - it wouldn't be good business sense for cisco to overlapp all functionalities of one product to another

Hope this helps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
greenbeanx81Author Commented:
Ok, how about a another way.? If I connect the Cable Internet to a different ASA and connect that to the switch. Using policy routing on the switch I can tell to send the specfic subnet to the Cable ASA. I would like to have internet connections fall back to the ASA with the cable connection. If I implant OSPF on the ASA can I inject a ospf default route into the switch and create a floating static route on the switch? So if the ASA with the T1 goes down it will default to the ASA with the cable connection
0
billwhartonCommented:
ASA with the T!? How are you terminating a T1 on the ASA as it only accepts ethernet connections

quite often, links stay up because the physical interface is up but L3 is down. If your switch supports IP SLA, you can probably accomplish it using that. But i don't think switches support that functionality as yet. You'll need a router behind the two ASA's to accompilish this

I don't understand your hesitancy behind not using the dual isp feature in the link posted earlier
0
greenbeanx81Author Commented:
I don't just want the second ISP as a backup. I want to route a certain subnet (VLAN) to the second ISPon the ASA. If I but a second gateway on that ASA I can only use it as a backup put I can not route a certain subnet across it. The present Internet T1s are behind a router with an intergrated CSU/DSU. So if I have a router behind the two ASAs and connect that to the switch I should be to use the router to fail back internet connections to the second ASA. I am understanding this?
0
billwhartonCommented:
so both your isp's are terminating into this single router or at the moment, you just have a single isp and a single router?

0
greenbeanx81Author Commented:
No, currently at these locations Sprint is providing a T1 to the internet. The T1 is terminated on a cisco router with a CSU / DSU. The fa0/0 interface is connected to the outside interface on the ASA 5510. I want to added a second connection possibly through the ASA and use that connection to route certain subnet (VLAN) and as a fall back for if the Internet through Sprint goes down. Current this does not seem possible for the ASA. So I was thinking, thank to your ideas, to connect the switch to the router, Router fast ethernet interfaces to two seperate ASAs and use policy routing and SLA on the router to route certain subnet and use SLA as a fall back.
0
billwhartonCommented:
the second isp will be providing a T1 or ethernet hand-off?

also, i'm curious about what's behind your requirement of having a single subnet route to a 2nd ISP...if you need to differentiate it to the outside world, you can always use a second ip address from the same IP address using two different nat inside/global combinations

0
greenbeanx81Author Commented:
No, the second ISP with be a cable connection. The reason we want to do that with a single subnet is because all the subnets route across a T1 P2P connection to the main site. We have four sites connected to one main site in a hub / spoke topology. we currently have Layer 3 switches with Vlans connected to an ASA and P2P router. Internal addresses are going across the point to point and any unknown address are going to the Internet. We want to add a second gateway to all the locations and just route a certain vlan / subnet and use the second gateway for fall back also if the primary fails. the Vlan that we want to route has high-bandwidth devices (i.e CCTV). Currently that is being routed across the p2p but it choking off other devices and applications bandwidth.  We want just that device to use the cable internet connection and no other devices.
0
billwhartonCommented:
your plan about using a single router to direct traffic using ip sla's would work...
go ahead with that... but with everything, you must test it before deploying to production
0
greenbeanx81Author Commented:
Ok, Thank you. Any problems when NATing between the outside external address  and the address behind the router on the ASA?
0
greenbeanx81Author Commented:
Any recommendation for a router to preform SLA and policy based routing? What IOS do I need?
0
billwhartonCommented:
2801 should do the trick - 12.4
0
greenbeanx81Author Commented:
Could a 1800 series do it? Any issues with Nating devices behind the router on the ASA
0
billwhartonCommented:
no nat shouldn't be a problem and 1800 should do too with the 12.4 code but the price differential is minimum

plz ask your final questions - i'm not sure if i can any additional time on this question
0
greenbeanx81Author Commented:
Excellent..  Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.