• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2037
  • Last Modified:

Internal VLANs out separate ISPs on ASA 5510

Hi all,

I have an interesting problem that I think can be solved with the correct configuration, but I'm missing something and I'm not entirely sure what it is.

We have a Cisco ASA 5510, with two internal VLANs assigned to its internal interface -- our LAN and a second VLAN for guest wireless users.  Both VLANs connect internally through a Barracuda web filter, and both VLANs use the same internal equipment (access points, switches, etc.)

Our guest wireless is consuming too much of our general Internet bandwidth, so we have procured a cable modem circuit for that traffic and connected it into the ASA as a second WAN interface.  Wa also have a DMZ set aside on this ASA, so the ASA has its 4 ports assigned as follows:

E0/0: LAN (plugged into a Barracuda web filter)
E0/0.1: Guest VLAN (see E0/0)
E0/1: WAN1 (ISP #1)
E0/2: DMZ
E0/3: WAN2 (ISP #2)

I was hoping that setting up a second WAN would be as simple as a routing statement and static NAT for that guest VLAN, but unfortunately it doesn't seem to be.  What I would like to have in terms of NAT and routing is:

LAN --> Internet routes through WAN1
Guest VLAN --> Internet routes through WAN2

No inbound static NATs are needed on the Guest VLAN or WAN2; this is simply for general Internet browsing.

So far, I've tried creating a separate default route, which seems to only serve as a backup route and not as a primary one.  I've also tried setting dynamic PAT from the Guest VLAN to WAN2, with no luck either.

So, this leads to 2 questions:

1.  Can this be done on the ASA?  I'm not concerned about load balancing or failover, just the ability to direct traffic from one VLAN out a specific ISP.

2.  If not, how can I make this work?  Do I need to add a small, cheap NAT firewall into the equation for the guest VLAN to use as its gateway instead?

As usual, thanks for the advice and assistance.
0
gwermter
Asked:
gwermter
1 Solution
 
raeldriCommented:
Your looking for Policy based routing which the ASA isn't designed to do.

take a look at the bellow question for confirmation and also note the work around. please note I haven't attempted this.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23693536.html

also take a look at this Cisco support form post

https://supportforums.cisco.com/docs/DOC-6069
0
 
gwermterAuthor Commented:
While this wasn't the answer I was hoping for, it is the answer that Cisco also gave.  I've copied that below for others' future reference:

"After reading the problem description included in the ticket, I understand
You would like to send traffic out to two different ISPs.

"The ASA does not support PBR (Policy Based Routing), so we can’t have two active ISPs.

"The second default route as you mentioned, will only serve as a backup.

"The only possible configuration is to add static routes for different destinations, but you will be redirecting traffic based on destination instead of source which is not a viable solution."
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now