Solved

Internal VLANs out separate ISPs on ASA 5510

Posted on 2012-03-26
2
1,974 Views
Last Modified: 2012-03-29
Hi all,

I have an interesting problem that I think can be solved with the correct configuration, but I'm missing something and I'm not entirely sure what it is.

We have a Cisco ASA 5510, with two internal VLANs assigned to its internal interface -- our LAN and a second VLAN for guest wireless users.  Both VLANs connect internally through a Barracuda web filter, and both VLANs use the same internal equipment (access points, switches, etc.)

Our guest wireless is consuming too much of our general Internet bandwidth, so we have procured a cable modem circuit for that traffic and connected it into the ASA as a second WAN interface.  Wa also have a DMZ set aside on this ASA, so the ASA has its 4 ports assigned as follows:

E0/0: LAN (plugged into a Barracuda web filter)
E0/0.1: Guest VLAN (see E0/0)
E0/1: WAN1 (ISP #1)
E0/2: DMZ
E0/3: WAN2 (ISP #2)

I was hoping that setting up a second WAN would be as simple as a routing statement and static NAT for that guest VLAN, but unfortunately it doesn't seem to be.  What I would like to have in terms of NAT and routing is:

LAN --> Internet routes through WAN1
Guest VLAN --> Internet routes through WAN2

No inbound static NATs are needed on the Guest VLAN or WAN2; this is simply for general Internet browsing.

So far, I've tried creating a separate default route, which seems to only serve as a backup route and not as a primary one.  I've also tried setting dynamic PAT from the Guest VLAN to WAN2, with no luck either.

So, this leads to 2 questions:

1.  Can this be done on the ASA?  I'm not concerned about load balancing or failover, just the ability to direct traffic from one VLAN out a specific ISP.

2.  If not, how can I make this work?  Do I need to add a small, cheap NAT firewall into the equation for the guest VLAN to use as its gateway instead?

As usual, thanks for the advice and assistance.
0
Comment
Question by:gwermter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
raeldri earned 250 total points
ID: 37766896
Your looking for Policy based routing which the ASA isn't designed to do.

take a look at the bellow question for confirmation and also note the work around. please note I haven't attempted this.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23693536.html

also take a look at this Cisco support form post

https://supportforums.cisco.com/docs/DOC-6069
0
 

Author Closing Comment

by:gwermter
ID: 37783434
While this wasn't the answer I was hoping for, it is the answer that Cisco also gave.  I've copied that below for others' future reference:

"After reading the problem description included in the ticket, I understand
You would like to send traffic out to two different ISPs.

"The ASA does not support PBR (Policy Based Routing), so we can’t have two active ISPs.

"The second default route as you mentioned, will only serve as a backup.

"The only possible configuration is to add static routes for different destinations, but you will be redirecting traffic based on destination instead of source which is not a viable solution."
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ip igmp join-group 8 82
Windows 2012 R2 Anywhere Access and PCI compliance 5 65
can't ssh to external IP 9 85
wifi security 11 37
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question