Cisco ASA5510 - Multiple ISPs

[NoWittyName]

I am trying to configure the above router to send all VPN traffic to one ISP (where it originates from) and all other traffic to a second ADSL line

I have setup two gateways, one for the tunnel traffic and one for all other, but this has no effect - can anyone assist?

config as below:

: Saved
:
ASA Version 7.2(2)
!
hostname yyy-ciscoASA5510
domain-name companyname.org.uk
enable password xxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif companynameDM
security-level 100
ip address 192.168.3.248 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif JANETDM
security-level 0
ip address 195.x.x.254 255.255.255.224
ospf cost 10
!
interface Ethernet0/2
nameif ADSL
security-level 50
ip address 192.168.10.2 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd xxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name companyname.org.uk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list companynameDM_access_out extended permit ip any any
access-list JANETDM_access_out extended permit ip any any
access-list companynameDM_access_in extended permit ip any any
access-list companynameDM_access_in extended permit tcp any any
access-list JANETDM_access_in extended permit ip any any inactive
access-list JANETDM_access_in extended permit ip host 213.x.x.2 any
access-list companynameDM_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list companynameDM_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list companynameDM_nat0_outbound extended permit ip any 192.168.3.176 255.255.255.248
access-list companynameDM_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list JANETDM_20_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list JANETDM_cryptomap_1 extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list companyname-InternalAddresses remark Demonfort LAN
access-list companyname-InternalAddresses standard permit 192.168.3.0 255.255.255.0
access-list companyname-InternalAddresses remark RenHouse LAN
access-list companyname-InternalAddresses standard permit 192.168.6.0 255.255.255.0
access-list companyname-InternalAddresses remark Demonfort LAN
access-list companyname-InternalAddresses remark RenHouse LAN
pager lines 24
logging enable
logging asdm informational
logging permit-hostdown
mtu companynameDM 1500
mtu JANETDM 1500
mtu ADSL 1500
mtu management 1500
ip local pool VPN-Subnet 192.168.11.1-192.168.11.100 mask 255.255.255.0
no failover
monitor-interface companynameDM
monitor-interface JANETDM
monitor-interface ADSL
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (companynameDM) 1 interface
global (JANETDM) 1 interface
global (ADSL) 1 interface
nat (companynameDM) 0 access-list companynameDM_nat0_outbound
nat (companynameDM) 1 192.168.3.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
access-group companynameDM_access_in in interface companynameDM
access-group companynameDM_access_out out interface companynameDM
access-group JANETDM_access_in in interface JANETDM
access-group JANETDM_access_out out interface JANETDM
route companynameDM 192.168.6.0 255.255.255.0 192.168.3.239 1
route companynameDM 192.168.5.0 255.255.255.0 192.168.3.239 1
route companynameDM 192.168.8.0 255.255.255.0 192.168.3.246 1
route companynameDM 192.168.9.0 255.255.255.0 192.168.3.251 1
route JANETDM 192.168.0.0 255.255.255.0 194.xxx.xxx.82 1
route JANETDM 213.x.x.2 255.255.255.254 194.xxx.xxx.82 1
route JANETDM 0.0.0.0 0.0.0.0 194.xxx.xxx.82 tunneled
route ADSL 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUserVPN internal
group-policy RemoteUserVPN attributes
banner value WELCOME
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value companyname-InternalAddresses
default-domain value companyname.org.uk
client-firewall none
username user1 password xxxxxxxxxxxxxxxx encrypted privilege 0
http server enable
http 192.168.3.0 255.255.255.0 companynameDM
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map JANETDM_dyn_map 20 set pfs
crypto dynamic-map JANETDM_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map JANETDM_map 1 match address JANETDM_cryptomap_1
crypto map JANETDM_map 1 set peer 213.x.x.2
crypto map JANETDM_map 1 set transform-set ESP-AES-256-SHA
crypto map JANETDM_map 21 match address JANETDM_20_cryptomap
crypto map JANETDM_map 21 set peer 213.x.x.2
crypto map JANETDM_map 21 set transform-set ESP-AES-256-SHA
crypto map JANETDM_map 65535 ipsec-isakmp dynamic JANETDM_dyn_map
crypto map JANETDM_map interface JANETDM
crypto isakmp enable JANETDM
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group 213.x.x.2 type ipsec-l2l
tunnel-group 213.x.x.2 ipsec-attributes
pre-shared-key *
tunnel-group RemoteUserVPN type ipsec-ra
tunnel-group RemoteUserVPN general-attributes
address-pool VPN-Subnet
default-group-policy RemoteUserVPN
tunnel-group RemoteUserVPN ipsec-attributes
pre-shared-key *
tunnel-group RemoteUserVPN ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-522.bin
no asdm history enable


Master of Disaster.....Recovery

 

[brianinms]

That simply isn't supported ... here is a snippet from Cisco configuration guide for 7.2

A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.

You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the message "ERROR: Cannot add route entry, possible conflict with existing routes."

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all encrypted traffic that arrives on the security appliance and cannot be routed using learned or static routes is sent to this route. Otherwise, if the traffic is not encrypted, the standard default route entry is used. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.

http://cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1047894

 

[NoWittyName]

Thanks brianims, perhaps I'll have to have a rethink on this one. I had read the link that you sent previously but my interpretation of the following paragraph was different

"You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all encrypted traffic that arrives on the security appliance and cannot be routed using learned or static routes is sent to this route. Otherwise, if the traffic is not encrypted, the standard default route entry is used. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported."

To me this sounds like if its VPN traffic then it goes through a tunnel default route, whilst all other traffic goes to default route - But I admit this is not my speciality!

Is it possible to use Policy Based Routing to achieve this - or am I 'flogging a dead horse'

Thanks in advance

Master of Disaster.....Recovery