Solved

Internal VLANs out separate ISPs on ASA 5510

Posted on 2012-03-26
2
1,981 Views
Last Modified: 2012-03-29
Hi all,

I have an interesting problem that I think can be solved with the correct configuration, but I'm missing something and I'm not entirely sure what it is.

We have a Cisco ASA 5510, with two internal VLANs assigned to its internal interface -- our LAN and a second VLAN for guest wireless users.  Both VLANs connect internally through a Barracuda web filter, and both VLANs use the same internal equipment (access points, switches, etc.)

Our guest wireless is consuming too much of our general Internet bandwidth, so we have procured a cable modem circuit for that traffic and connected it into the ASA as a second WAN interface.  Wa also have a DMZ set aside on this ASA, so the ASA has its 4 ports assigned as follows:

E0/0: LAN (plugged into a Barracuda web filter)
E0/0.1: Guest VLAN (see E0/0)
E0/1: WAN1 (ISP #1)
E0/2: DMZ
E0/3: WAN2 (ISP #2)

I was hoping that setting up a second WAN would be as simple as a routing statement and static NAT for that guest VLAN, but unfortunately it doesn't seem to be.  What I would like to have in terms of NAT and routing is:

LAN --> Internet routes through WAN1
Guest VLAN --> Internet routes through WAN2

No inbound static NATs are needed on the Guest VLAN or WAN2; this is simply for general Internet browsing.

So far, I've tried creating a separate default route, which seems to only serve as a backup route and not as a primary one.  I've also tried setting dynamic PAT from the Guest VLAN to WAN2, with no luck either.

So, this leads to 2 questions:

1.  Can this be done on the ASA?  I'm not concerned about load balancing or failover, just the ability to direct traffic from one VLAN out a specific ISP.

2.  If not, how can I make this work?  Do I need to add a small, cheap NAT firewall into the equation for the guest VLAN to use as its gateway instead?

As usual, thanks for the advice and assistance.
0
Comment
Question by:gwermter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
raeldri earned 250 total points
ID: 37766896
Your looking for Policy based routing which the ASA isn't designed to do.

take a look at the bellow question for confirmation and also note the work around. please note I haven't attempted this.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23693536.html

also take a look at this Cisco support form post

https://supportforums.cisco.com/docs/DOC-6069
0
 

Author Closing Comment

by:gwermter
ID: 37783434
While this wasn't the answer I was hoping for, it is the answer that Cisco also gave.  I've copied that below for others' future reference:

"After reading the problem description included in the ticket, I understand
You would like to send traffic out to two different ISPs.

"The ASA does not support PBR (Policy Based Routing), so we can’t have two active ISPs.

"The second default route as you mentioned, will only serve as a backup.

"The only possible configuration is to add static routes for different destinations, but you will be redirecting traffic based on destination instead of source which is not a viable solution."
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question