ASA 5520 able to have different default routes?

Hi I have this scenario where I have four vrf interfaces delivered by my ISP router in access mode.
I  initially intended to connect those interfaces to my Dell PowerConnect 6248 so that I can handle the networks delivered myself. But then I realized this Layer 3 switch does not support having multiple default routes, one for every VLAN connected to the VRF interfaces on the ISP router.

So I'm planning on using an ASA 5520 that I have laying around and put it between the ISP router and the PC6248 so it can handle the routing of the different interfaces. As far I can see I can set a default route on an interface and a second default route on another interface as long as they have different metrics, but I don't know if this will work well or at all.
Any insights?
LVL 1
Bes4dminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
If I'm understanding the question correctly...

If you have multiple routes (default or otherwise) to the same destination with the same AD (admin distance), Cisco will use all of them using the ECMP hash algorithm.  Basically, you won't be able to predict which path would be used for a particular flow.

To direct traffic out the desired interface, you would need to use Policy Based Routing.
ffleismaSenior Network EngineerCommented:
Hi Bes4dmin,

Here are some of the design I see which fit your description.
ASA sub-interface and ISP router with VRF
the ASA will use sub-interfaces, while the switchport connecting to the ASA is configured as a trunk port.
switchports connecting to the ISP router will be assigned to individual access VLANs
4 default-route on the ASA with different next-hops and AD (administrative distance from 1 as most preferred to 4 to least preferred
routing here is not load balanced but rather is a active-standby-standby-standby.
also note, you are not really increasing the redundancy here since physical devices are still singular and are single-points-of-failure (SPOF)

If you could give further details on what you are trying to achieve, i'll be glad to provide you my insights if it could help.
are your doing this for redundancy?
what is the purpose of the ISP having multiple VRF? Is it to provide multiple public IP?
is load balancing a requirement?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bes4dminAuthor Commented:
Thanks for the design, it's very helpful. The purpose is not redundancy. It's just that every vrf is separated from each other and can not see each other and they need to find it's way to the internet in it's own vrf.

I could just connect to all my end devices PC's, servers etc to the vrf interfaces and use their ip as default gateway and the problem is solved. But I want to be able to subnet the network being handed to me by the VRF's, cut it up into minor subnets and route those subnets myself using a layer 3 switch (PC6248)

The addresses being delivered are /20 networks and I want to be able to handle those /20 neworks myself.

Also we are using link-networks or bubble networks between layer3 devices, could this implicate things?
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

ffleismaSenior Network EngineerCommented:
Thanks for the clarification of the requirement, I've started off with the above design as I understand your initial description. It does however have a MAJOR flaw with regards to using varying administrative distance (AD) for each default route. This only accomplishes an active-standby-standby-standby setup, in which you are not really utilizing each of the subnet handed-off by each of the VRF at the same time.

So I've looked into this further, I'm primarily a Cisco guy, but after some research on the PowerConnect, I've come upon how you might be able to pull this off. I was primarily looking into Policy Based Routing and how this can be done on a PowerConnect. I've attached the Dell document you can reference with regards to implementing PBR with Dell.

The basic idea of PBR I'll explain here and how we could integrate it to your requirements.
PBR with Dell
The screenshot is taken form the document but I would like to explain the basic idea
With PBR, we are basically controlling the routing by changing the next-hop IP address of the packet based on a condition (the condition can be based on IP-source and or IP-destination)
So in this example the policy is as follows
  --if source comes from 10.1.6.x/24, change the next-hop IP to 172.16.7.7 and output the traffic to portX
   --if source comes from 10.1.5.x/24, change the next-hop IP to 192.168.6.6 and output the traffic to portY
Example1-Traffic Isolation of the document will detail on how you can implement this on the PowerConnect

I think this would better fit your requirement, rather than doing floating static routes which has its limitations.

Now where will the firewall come into picture, of coarse we would like security as I assume traffic would be internet facing. What I can suggest here is to do a TRANSPARENT mode implementation of the ASA instead of routing mode. In transparent mode, in simple terms is bridging the ports as L2 and no IP addressing on the ASA interfaces. The following ASA concepts should be taken into consideration for your requirement:
ASA Transparent Mode
ASA Bridge Groups in Transparent Mode
ASA Transparent Mode Trunking

I apologize for the long post, hopefully I think this is a better fit for your requirement. Do let me know if you need further insight on the things I've mentioned above. be glad to help you out!
Policy-Based-Routing-for-Dell-Networks.p
Craig BeckCommented:
The ASA doesn't do PBR and will only allow ISP failover in a dynamic fashion.  You can use multiple static default routes but that won't help if you need to push certain subnets down certain VRFs.  You will need PBR for this, just like Don said already.

I think you should be careful here though.  Your ISP is using VRFs to separate traffic, but connecting it all to a L3 switch or router at your end and subnetting/VLANning each network could mix those VRFs together (allow routing between them).  If you don't want that you should ideally use a L3 switch that supports VRF too.

If you want to use the ASA to protect each network by simply firewalling each subnet that's a good approach, but use it in routing mode.  You'd still need something to do the PBR between the ASA and the ISP router though.
ffleismaSenior Network EngineerCommented:
Hi Bes4dmin,

It took me a day, but was able to run this through a simulation on GNS3 for proof-of-concept. Here is a setup using PBR and Transparent mode ASA firewall which achieves the requirement for utilizing the mulitple subnets provided by the ISP.
GNS3 Proof-of-Concept PBR with Transparent Mode ASAHere are the related configurations:

ASA Transparent Mode Configuration:
firewall transparent
!
hostname ASA
!
interface BVI10
 ip address 1.1.1.3 255.255.255.0
!
interface BVI20
 ip address 2.2.2.3 255.255.255.0
!
interface BVI30
 ip address 3.3.3.3 255.255.255.0
!
interface GigabitEthernet0
 no shut
!
interface GigabitEthernet0.100
 no shut
 vlan 100
 nameif inside1
 bridge-group 10
 security-level 100
!
interface GigabitEthernet0.200
 no shut
 vlan 200
 nameif inside2
 bridge-group 20
 security-level 100
!
interface GigabitEthernet0.300
 no shut
 vlan 300
 nameif inside3
 bridge-group 30
 security-level 100
!
interface GigabitEthernet1
 no shut
 nameif outside1
 bridge-group 10
 security-level 0
!
interface GigabitEthernet2
 no shut
 nameif outside2
 bridge-group 20
 security-level 0
!
interface GigabitEthernet3
 no shut
 nameif outside3
 bridge-group 30
 security-level 0
!
http server enable
http 0.0.0.0 0.0.0.0 inside1
!
object network obj_10.1.1.0-24
  subnet 10.1.1.0 255.255.255.0
!
object network obj_10.2.2.0-24
  subnet 10.2.2.0 255.255.255.0
!
object network obj_10.3.3.0-24
  subnet 10.3.3.0 255.255.255.0
!
object network obj_1.1.1.2
 host 1.1.1.2
!
object network obj_2.2.2.2
 host 2.2.2.2
!
object network obj_3.3.3.2
 host 3.3.3.2
!
nat (inside1,outside1) 1 source dynamic obj_10.1.1.0-24 obj_1.1.1.2
nat (inside2,outside2) 2 source dynamic obj_10.2.2.0-24 obj_2.2.2.2
nat (inside3,outside3) 3 source dynamic obj_10.3.3.0-24 obj_3.3.3.2
!
access-list inside2_access_in line 1 extended permit ip object obj_10.2.2.0-24 any 
access-list inside1_access_in line 1 extended permit ip object obj_10.1.1.0-24 any 
access-list inside3_access_in line 1 extended permit ip object obj_10.3.3.0-24 any 
access-list outside2_access_in line 1 extended permit ip any any 
access-list outside1_access_in line 1 extended permit ip any any 
access-list outside3_access_in line 1 extended permit ip any any 
!
access-group inside1_access_in in interface inside1
access-group inside2_access_in in interface inside2
access-group inside3_access_in in interface inside3
access-group outside1_access_in in interface outside1
access-group outside2_access_in in interface outside2
access-group outside3_access_in in interface outside3	  
!

Open in new window


PBR with Cisco L3 Etherswitch:
interface FastEthernet1/0
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,100,200,300,1002-1005
 switchport mode trunk
 no shut
!
interface FastEthernet1/1
 switchport
 switchport mode access
 switchport access vlan 10
 no shut
!
interface FastEthernet1/2
 switchport
 switchport mode access
 switchport access vlan 20
 no shut
!
interface FastEthernet1/3
 switchport
 switchport mode access
 switchport access vlan 30
 no shut
!
interface range FastEthernet1/4 - 15
 shut
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.2.2.0 0.0.0.255 any
access-list 103 permit ip 10.3.3.0 0.0.0.255 any
!
route-map MATCH_10.1.1.x permit 10
 match ip address 101
 set ip next-hop 1.1.1.1
!
route-map MATCH_10.2.2.x permit 10
 match ip address 102
 set ip next-hop 2.2.2.1
!
route-map MATCH_10.3.3.x permit 10
 match ip address 103
 set ip next-hop 3.3.3.1
!
interface Vlan10
 ip address 10.1.1.1 255.255.255.0
 ip policy route-map MATCH_10.1.1.x
 no shut
!
interface Vlan20
 ip address 10.2.2.1 255.255.255.0
 ip policy route-map MATCH_10.2.2.x
 no shut
!
interface Vlan30
 ip address 10.3.3.1 255.255.255.0
 ip policy route-map MATCH_10.3.3.x
 no shut
!
interface Vlan100
 ip address 1.1.1.4 255.255.255.0
 no shut
!
interface Vlan200
 ip address 2.2.2.4 255.255.255.0
 no shut
!
interface Vlan300
 ip address 3.3.3.4 255.255.255.0
 no shut
!

Open in new window


So a few things worth discussing here.
Mainly the choice to use Transparent mode instead of routing mode is due to the requirement to utilize multiple ISP subnet with different internet paths. I don't think this can be accomplished via routed mode ASA since the firewall will only take one default route at a time, hence the issue of having a active-standby-standby-standby setup and not being able to utilize the other subnet/internet paths. Adding a default route with varying administrative distance will only utilize those other default routes if the lowest AD default route has failed. The ASA can only have one default route in it's routing table.
The Cisco PBR implementation is similar to the Dell PowerConnect, just a few syntax changes but the concept is pretty much the same. You can pattern yours on the PBR config I've included while referencing the previous Dell document for PBR implementation.
The design includes the NAT configuration here as well. Though the ASA is in transparent mode, as the traffic passes through the source IP of the traffic is NATed.
I've run this design on GNS3 and is working, PBR selects the path, the transparent ASA does ACL and NAT policy. With the hardware limitations of using a single Dell L3 switch and single ASA, I really don't believe this can be done via routed mode ASA.

Let me know if you have questions be glad to help out.
Craig BeckCommented:
If you do it the other way round...

ASA -> L3 switch -> ISP router

...you can use routed mode.

I would always put the PBR device between the ASA and the ISP.  I think I'd prefer routing to bridging.  Doing it the other way still means there's the chance that VRFs could route into each other across the switch.
ffleismaSenior Network EngineerCommented:
Putting the L3 switch in front of the firewall exposes the device to outside threat, no matter how small that treat is. I've rather have a firewall face first (physically or logical) the outside network.

Also to use PBR means the L3 switch will have to be configured with a public IP, which again boils down to security (will it be reachable from the outside? how is it protected?). If this would not be an issue, then by all means, you can have the L3 in front of the firewall, then which makes you ask, why put a firewall in the first place?

And like I said, my design was limited to using a single Dell L3 device and a single ASA. That being said, host would also be assumed to be connecting to the L3 device. Not a good idea to place the L3 device in front of the firewall.
Craig BeckCommented:
Putting the L3 switch in front of the firewall exposes the device to outside threat, no matter how small that treat is. I've rather have a firewall face first (physically or logical) the outside network.
Also to use PBR means the L3 switch will have to be configured with a public IP, which again boils down to security (will it be reachable from the outside? how is it protected?).
The L3 switch would just be a router; it's not providing access to anything and is just used for transit.  Harden it adequately and it's fine.


If this would not be an issue, then by all means, you can have the L3 in front of the firewall, then which makes you ask, why put a firewall in the first place?
...to protect each VRF from routing into each other... like I said earlier.
Bes4dminAuthor Commented:
Just one thing here is that if the Dell PC6248 does PBR then I really don't need to use the ASA.
The problem is that I really don't think the PC6248 does PBR so I'm screwed then since the ASA doesn't do PBR either.

So to accomplish what I want I need at least one Layer3 device that does PBR or to have one physical Layer3 device without PBR for every vrf subnet.
Bes4dminAuthor Commented:
The discussion and the different options help me a lot to realize what I could and couldn't do.
In my case though I'm not able to do PBR since I do not have a device with that feature. And using the ASA is not really an option since the default routes would not be simultaneous
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.