[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Add additional gateway tro ASA and route certain devices through it.

Posted on 2008-02-04
21
Medium Priority
?
833 Views
Last Modified: 2013-11-16
Hello All,

I have a client that as multiple sites set up with Internet using ASA 5510 with T1 connection. We want to add a cable connection to the site and specifically to the ASA. We also want specific devices to use the additional cable connection on the ASA through routing and their own static nat mappings. How can I add a second internet gateway on the ASA, route devices, and use Static mappings. Most sites have Layer 3 switches with one site being only Layer 2. Can I separate those devices to a seperate Vlan on the switch and somehow route them through the ASA through the Cable connection. I can I accomplish this on the ASA? Also I want to use the cable internet as a falback in case the primary connection goes down. Any Suggestions?
0
Comment
Question by:greenbeanx81
  • 11
  • 10
21 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 20818972
For separate traffic, you can definitely vlan them on the switch and route them into the ASA as long as you have a spare interface on the ASA - this way, your traffic will remain segregated

For multiple ISP's, you basically need a functionality called Internet redundancy from Cisco
http://www.cisco.com/warp/public/110/pix-dual-isp.pdf
0
 

Author Comment

by:greenbeanx81
ID: 20819493
Thank you. My main question is that their is a existing default gateway. How would I route devices over the cable? Add a second gateway somehow?
0
 
LVL 11

Expert Comment

by:billwharton
ID: 20819897
you cannot really using the same metric. I've known the redundant ISP configuration to be the only method one can use to accomplish what you're trying
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 

Author Comment

by:greenbeanx81
ID: 20829560
How about using policy routing? Can I do that on the ASA or only a router? Can I make a policy on the ASA to route traffic from a certain subnet out a different interface?
0
 

Author Comment

by:greenbeanx81
ID: 20829647
looks like policy routing is only on routers? :-(

Each location has a T1 connection to the internet using a router with a CSU/DSU wic card. Behind that router is the firewall.Could I connect that cable modem to that router and do policy-routing on that?
0
 
LVL 11

Expert Comment

by:billwharton
ID: 20831589
lemme look at the latest rev of the asa and get back to you but as far as i know, PBR only aval on routers
0
 
LVL 11

Accepted Solution

by:
billwharton earned 2000 total points
ID: 20838168
I've confirmed this and it's not possible - the only way for you to accomplish this is using the link I sent you earlier and using the dual isp feature of the ASA

The ASA will never do everything a router can and vice versa - it wouldn't be good business sense for cisco to overlapp all functionalities of one product to another

Hope this helps
0
 

Author Comment

by:greenbeanx81
ID: 20841916
Ok, how about a another way.? If I connect the Cable Internet to a different ASA and connect that to the switch. Using policy routing on the switch I can tell to send the specfic subnet to the Cable ASA. I would like to have internet connections fall back to the ASA with the cable connection. If I implant OSPF on the ASA can I inject a ospf default route into the switch and create a floating static route on the switch? So if the ASA with the T1 goes down it will default to the ASA with the cable connection
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 2000 total points
ID: 20844681
ASA with the T!? How are you terminating a T1 on the ASA as it only accepts ethernet connections

quite often, links stay up because the physical interface is up but L3 is down. If your switch supports IP SLA, you can probably accomplish it using that. But i don't think switches support that functionality as yet. You'll need a router behind the two ASA's to accompilish this

I don't understand your hesitancy behind not using the dual isp feature in the link posted earlier
0
 

Author Comment

by:greenbeanx81
ID: 20845975
I don't just want the second ISP as a backup. I want to route a certain subnet (VLAN) to the second ISPon the ASA. If I but a second gateway on that ASA I can only use it as a backup put I can not route a certain subnet across it. The present Internet T1s are behind a router with an intergrated CSU/DSU. So if I have a router behind the two ASAs and connect that to the switch I should be to use the router to fail back internet connections to the second ASA. I am understanding this?
0
 
LVL 11

Expert Comment

by:billwharton
ID: 20846037
so both your isp's are terminating into this single router or at the moment, you just have a single isp and a single router?

0
 

Author Comment

by:greenbeanx81
ID: 20846342
No, currently at these locations Sprint is providing a T1 to the internet. The T1 is terminated on a cisco router with a CSU / DSU. The fa0/0 interface is connected to the outside interface on the ASA 5510. I want to added a second connection possibly through the ASA and use that connection to route certain subnet (VLAN) and as a fall back for if the Internet through Sprint goes down. Current this does not seem possible for the ASA. So I was thinking, thank to your ideas, to connect the switch to the router, Router fast ethernet interfaces to two seperate ASAs and use policy routing and SLA on the router to route certain subnet and use SLA as a fall back.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 20846396
the second isp will be providing a T1 or ethernet hand-off?

also, i'm curious about what's behind your requirement of having a single subnet route to a 2nd ISP...if you need to differentiate it to the outside world, you can always use a second ip address from the same IP address using two different nat inside/global combinations

0
 

Author Comment

by:greenbeanx81
ID: 20846489
No, the second ISP with be a cable connection. The reason we want to do that with a single subnet is because all the subnets route across a T1 P2P connection to the main site. We have four sites connected to one main site in a hub / spoke topology. we currently have Layer 3 switches with Vlans connected to an ASA and P2P router. Internal addresses are going across the point to point and any unknown address are going to the Internet. We want to add a second gateway to all the locations and just route a certain vlan / subnet and use the second gateway for fall back also if the primary fails. the Vlan that we want to route has high-bandwidth devices (i.e CCTV). Currently that is being routed across the p2p but it choking off other devices and applications bandwidth.  We want just that device to use the cable internet connection and no other devices.
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 2000 total points
ID: 20846526
your plan about using a single router to direct traffic using ip sla's would work...
go ahead with that... but with everything, you must test it before deploying to production
0
 

Author Comment

by:greenbeanx81
ID: 20847533
Ok, Thank you. Any problems when NATing between the outside external address  and the address behind the router on the ASA?
0
 

Author Comment

by:greenbeanx81
ID: 20847674
Any recommendation for a router to preform SLA and policy based routing? What IOS do I need?
0
 
LVL 11

Expert Comment

by:billwharton
ID: 20847678
2801 should do the trick - 12.4
0
 

Author Comment

by:greenbeanx81
ID: 20847707
Could a 1800 series do it? Any issues with Nating devices behind the router on the ASA
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 2000 total points
ID: 20847714
no nat shouldn't be a problem and 1800 should do too with the 12.4 code but the price differential is minimum

plz ask your final questions - i'm not sure if i can any additional time on this question
0
 

Author Closing Comment

by:greenbeanx81
ID: 31429102
Excellent..  Thank you
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month8 days, 7 hours left to enroll

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question