?
Solved

Internal VLANs out separate ISPs on ASA 5510

Posted on 2012-03-26
2
Medium Priority
?
2,019 Views
Last Modified: 2012-03-29
Hi all,

I have an interesting problem that I think can be solved with the correct configuration, but I'm missing something and I'm not entirely sure what it is.

We have a Cisco ASA 5510, with two internal VLANs assigned to its internal interface -- our LAN and a second VLAN for guest wireless users.  Both VLANs connect internally through a Barracuda web filter, and both VLANs use the same internal equipment (access points, switches, etc.)

Our guest wireless is consuming too much of our general Internet bandwidth, so we have procured a cable modem circuit for that traffic and connected it into the ASA as a second WAN interface.  Wa also have a DMZ set aside on this ASA, so the ASA has its 4 ports assigned as follows:

E0/0: LAN (plugged into a Barracuda web filter)
E0/0.1: Guest VLAN (see E0/0)
E0/1: WAN1 (ISP #1)
E0/2: DMZ
E0/3: WAN2 (ISP #2)

I was hoping that setting up a second WAN would be as simple as a routing statement and static NAT for that guest VLAN, but unfortunately it doesn't seem to be.  What I would like to have in terms of NAT and routing is:

LAN --> Internet routes through WAN1
Guest VLAN --> Internet routes through WAN2

No inbound static NATs are needed on the Guest VLAN or WAN2; this is simply for general Internet browsing.

So far, I've tried creating a separate default route, which seems to only serve as a backup route and not as a primary one.  I've also tried setting dynamic PAT from the Guest VLAN to WAN2, with no luck either.

So, this leads to 2 questions:

1.  Can this be done on the ASA?  I'm not concerned about load balancing or failover, just the ability to direct traffic from one VLAN out a specific ISP.

2.  If not, how can I make this work?  Do I need to add a small, cheap NAT firewall into the equation for the guest VLAN to use as its gateway instead?

As usual, thanks for the advice and assistance.
0
Comment
Question by:gwermter
2 Comments
 
LVL 7

Accepted Solution

by:
raeldri earned 750 total points
ID: 37766896
Your looking for Policy based routing which the ASA isn't designed to do.

take a look at the bellow question for confirmation and also note the work around. please note I haven't attempted this.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23693536.html

also take a look at this Cisco support form post

https://supportforums.cisco.com/docs/DOC-6069
0
 

Author Closing Comment

by:gwermter
ID: 37783434
While this wasn't the answer I was hoping for, it is the answer that Cisco also gave.  I've copied that below for others' future reference:

"After reading the problem description included in the ticket, I understand
You would like to send traffic out to two different ISPs.

"The ASA does not support PBR (Policy Based Routing), so we can’t have two active ISPs.

"The second default route as you mentioned, will only serve as a backup.

"The only possible configuration is to add static routes for different destinations, but you will be redirecting traffic based on destination instead of source which is not a viable solution."
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question