Solved

Internal VLANs out separate ISPs on ASA 5510

Posted on 2012-03-26
2
1,954 Views
Last Modified: 2012-03-29
Hi all,

I have an interesting problem that I think can be solved with the correct configuration, but I'm missing something and I'm not entirely sure what it is.

We have a Cisco ASA 5510, with two internal VLANs assigned to its internal interface -- our LAN and a second VLAN for guest wireless users.  Both VLANs connect internally through a Barracuda web filter, and both VLANs use the same internal equipment (access points, switches, etc.)

Our guest wireless is consuming too much of our general Internet bandwidth, so we have procured a cable modem circuit for that traffic and connected it into the ASA as a second WAN interface.  Wa also have a DMZ set aside on this ASA, so the ASA has its 4 ports assigned as follows:

E0/0: LAN (plugged into a Barracuda web filter)
E0/0.1: Guest VLAN (see E0/0)
E0/1: WAN1 (ISP #1)
E0/2: DMZ
E0/3: WAN2 (ISP #2)

I was hoping that setting up a second WAN would be as simple as a routing statement and static NAT for that guest VLAN, but unfortunately it doesn't seem to be.  What I would like to have in terms of NAT and routing is:

LAN --> Internet routes through WAN1
Guest VLAN --> Internet routes through WAN2

No inbound static NATs are needed on the Guest VLAN or WAN2; this is simply for general Internet browsing.

So far, I've tried creating a separate default route, which seems to only serve as a backup route and not as a primary one.  I've also tried setting dynamic PAT from the Guest VLAN to WAN2, with no luck either.

So, this leads to 2 questions:

1.  Can this be done on the ASA?  I'm not concerned about load balancing or failover, just the ability to direct traffic from one VLAN out a specific ISP.

2.  If not, how can I make this work?  Do I need to add a small, cheap NAT firewall into the equation for the guest VLAN to use as its gateway instead?

As usual, thanks for the advice and assistance.
0
Comment
Question by:gwermter
2 Comments
 
LVL 7

Accepted Solution

by:
raeldri earned 250 total points
ID: 37766896
Your looking for Policy based routing which the ASA isn't designed to do.

take a look at the bellow question for confirmation and also note the work around. please note I haven't attempted this.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23693536.html

also take a look at this Cisco support form post

https://supportforums.cisco.com/docs/DOC-6069
0
 

Author Closing Comment

by:gwermter
ID: 37783434
While this wasn't the answer I was hoping for, it is the answer that Cisco also gave.  I've copied that below for others' future reference:

"After reading the problem description included in the ticket, I understand
You would like to send traffic out to two different ISPs.

"The ASA does not support PBR (Policy Based Routing), so we can’t have two active ISPs.

"The second default route as you mentioned, will only serve as a backup.

"The only possible configuration is to add static routes for different destinations, but you will be redirecting traffic based on destination instead of source which is not a viable solution."
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question