Cisco WAN :: ASA 5520 - Source IP Based Load Sharing
Jul 25, 2011
A customer has an ASA5520 and 2 ISP routers with one WAN link each, and wants to split the load over both routers based on source IP ("natted" IP on ASA). I found this excellent doc on the topic: {URL}. Using PBR to achieve this is an option I was looking at, but I have come across a possible loop doing this with 2 routers. Setup:
-----------CE-1---------ISP-1
| |
| |
ASA55020---- HSRP |
| |
| |
-----------CE-2---------ISP-2
Both Routers receive default routes via BGP, and customer networks are propagated via BGP as well (i.e. the customer can specify the return path for the traffic). The ASA5520 forwards traffic to a HSRP virtual IP for redundancy purposes. If one router or ISP fails, all the traffic should use the other router/ISP. The customer wants to specify which traffic is sent over which link, by defining nat rules on the ASA. e.g. traffic sourced from the network 10.10.1.0/24 will always use ISP 1, and traffic sourced from the network 10.10.2.0/24 will always use ISP 2.
My problem: if I use route-maps on both routers (CE-1 and CE-2), sending part of the traffic to the other, and one ISP link fails, in my opinion I have a loop, since part of the traffic will get sent back to the router it came from. Is there any other was to achieve my goal without using PBR? I have looked at CEF and GLBP, but I cannot seem to find a way to load share via source IP.
View 8 Replies
ADVERTISEMENT
Mar 5, 2012
I have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
View 3 Replies
View Related
Dec 20, 2012
I have a customer with a Sonic wall that I want to replace with a 521.He currently has port forwaring setup so that only 3 ip addresses can access the port forward. Everyone else is dropped. Is there a way to do something similar?I can make it work for a single one via the DMZ tab with a source ip address. but there is not a way I can find to add the allow for the other two remote connections.
View 1 Replies
View Related
Jul 5, 2011
I have a requirement to select a farm based on source IP address. I tried creating a match all class-map that matches on the virtual-address and source address but I get this message.LB01/Admin(config-cmap)# match source-address x.x.x.75 255.255.255.255 Error: Only one match virtual-address is allowed in a match-all class-map and it cannot mix with any other match type To me this is the only place where it makes sense to set the source match criteria.
View 2 Replies
View Related
Jun 6, 2011
I am looking for a config, as per the attached diagram, if the traffic comes from FE01 it should go via FE03 for the internet and when the traffic comes from FE02 it should go via FE04 for the internet.
View 1 Replies
View Related
Oct 29, 2012
i don't know why cu need this feature, he want stickiness based on source ip and source port. Does CSS 11500 support stickiness based on source IP and source port?or is there any other method to support stickness based on source ip and sourceport?
View 12 Replies
View Related
Jan 21, 2013
2 ISP's connected to a 4507, both with seperate public IP blocks. Based on some source IP addresses on the LAN they would either use ISP-A or ISB-B's connection based on what I define.
View 3 Replies
View Related
Oct 20, 2012
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies
View Related
Dec 27, 2011
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies
View Related
Apr 2, 2011
Hardware version: A1
Firmware version: 1.01
Basically, I cannot connect to any game servers when I am connected through this router. I used my Android to tether into 3G internet and was able to connect without any issues so it's not OS-side at all. I've tried many settings arbitrarily one at a time, checking each time to no avail. Is there a particular setting that is screwing with this game? I've got the ports (27000-27100 TCP/UDP) forwarded and I've used a Port Checker tool to verify that they are open. Obviously it's something in the router that is blocking the connection..but what else is there to try?
Should I finally flash the 1.13NA firmware?
View 1 Replies
View Related
Feb 13, 2013
what is the best open source website load testing tool?
View 3 Replies
View Related
Nov 15, 2011
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
[Code].....
View 4 Replies
View Related
Sep 8, 2012
I need to build a layer 2 etherchannel on a Cisco 3560X. Now the question:
¿ May I instruct the switch to inspect the outgoing ethernet packets for IP information and therefore execute Layer 3 load balancing on this portchannel regardless of the fact that this will be a plain Layer 2 etherchannel? (for example: port-channel load-balance src-dst-ip)
The documentation does not say that this is not allowed, so in principle it seems to be that it would be feasible.
View 1 Replies
View Related
Mar 3, 2013
I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
View 6 Replies
View Related
Mar 27, 2011
I work from a computer that can not install any software(locked out), but I want to record good quality audio (at least 192kps) from websites, I've spent along time googling for a website that would record the audio (audio from a different website, i.e. streaming radio, etc.) which I could then download to my USB stick. I just can't find a website that does this, but I think I'm just not using the right search words
View 2 Replies
View Related
Sep 19, 2012
I have an RV042 (it's old, silver/dark grey plastic front one) w/ firmware 1.3.13.02-tm.
The reason we bought this (long ago) was to balance two WAN connections, one with unlimited data and one capped monthly. It did that once, but for a couple years both connections have been unmetered so it's just been balancing them 50/50. As of today one WAN connection (the new much faster one) is back to being metered but I can't figure out how to configure the RV042 as it once was to prefer sending traffic over the slow, unmetered connection first, and only use the faster metered connection when necessary.
It's been a long time and honestly I only vaguely remember the ability to prioritize a connection based on % of bandwidth used so that all traffic would go over the unlimited connection 1st until it was flooded, and only then fall over to the metered connection. This is totally different than the weighted round robin, or smart link backup.
I found this 3rdparty forum post that supports that vauge memory and suggests this was eliminated between firmware 1.23 and 1.3: [URL] Is it possible to replicate this functionality with the current firmware? if so how? If not, how to do roll back to firmware 1.23?
It sounded like perhaps I could assigned WAN1 a bandwidth of 100000 (even though it's really 1500) and then assign WAN2 a bandwidth of 1 (even though it's really 20000) and the result might be the prioritization I'm looking to achieve... but I feel like I'm stumbling in the dark at the point.
View 1 Replies
View Related
May 28, 2012
Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.
Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.
Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.
View 1 Replies
View Related
Oct 2, 2011
What kind of cable is used for failover in asa 5520 ?
View 11 Replies
View Related
Jan 25, 2013
I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.
After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
how can i allow user to access a server with defined port only and not any other service/port access for the server.
View 4 Replies
View Related
Mar 26, 2012
We have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.
View 0 Replies
View Related
Aug 6, 2012
Does Cisco 6500 with Sup 720 3BXL sipports per-packet load sharing amogn interfaces? CLI shows only per-destination is supported.
View 1 Replies
View Related
Apr 14, 2011
How to activate "per-packet load sharing" on a 7606S with RSP720-3CXL engine and 7600-ES+20G3CXL module. The IOS version is : 7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRD4, RELEASE SOFTWARE (fc2)
I tried the two (2) following commands but they are not supported :-
hw-module slot1 ip load-sharing per-packet
- ip load-sharing per-packet (on interface)
View 1 Replies
View Related
Oct 17, 2011
i have 2 x T1 terminating on border router cisco 3640 route. (configured using multilink interface). Our IP block is routed on this bundled T1 circuits by At&T. I want more internet bandwidth.
1. Can i connect my DSL (on ethernet interface and using static DSL IP) on the same router and confgure two static routes to internet - one to multilink interface and other to ethernet interface (connected to DSL) ?
2. I have many servers using static NAT to external IPs which are routed on T1 circuits. Will it get into issues when communicating to outside? [for example my exchange server, websites etc?
View 6 Replies
View Related
Jan 1, 2013
I have 4 ADSL lines from the same ISP going into one Cisco 887VA router. How can I do load sharing between the 4 lines without getting the ISP involved?
View 7 Replies
View Related
May 16, 2012
Can an ACE 4710 have , in the same context - servers which are
a. just being routed to
b. a set of load-shared servers
I have been told you may not be able to do this on this version?
View 2 Replies
View Related
Aug 16, 2011
Cisco Router 2851 connected with one ISP using 2 serials. the case is :
1)s0/0/1.1 is the only utilized and s0/0/0.1 utilization is zero. 2)when shutting down s0/0/1.1 : the other ,not utalized, link work perfect and forward all the traffic.
Attached the configuration file with output of show interfaces command.
View 7 Replies
View Related
Sep 16, 2012
We have our network setup as displayed in the attached. We have 2 HQ offices and 1 branch office. The branch office needs to connect to resources located at both HQs but taking the most effecient path. We have ethernet circuits connecting from each HQ to 2 x Cisco 3560 switches in the branch. HSRP has been configured on the 3560 switches with SW1 as active and SW2 as standby. OSFP has been configured in a single area 0 and the path cost on the link between HQs has been increase to allow 3560 SW1 to route to HQ1 directly and HQ2 via 3560 SW2.The 3560s are connected with a trunk with a L3 SVI for OSPF. This seems to work ok but I have noticed that the branch could become transit if the HQ1 to HQ2 link breaks. How can this be avoided? I realise that if we configure the branch subnets and SW1 to SW2 link in a stub area (area1) then all traffic will route from SW1 to HQ1 and will never share over SW2. I'm assuming that this is because OSPF chooses inter-area routes over intra-area.
View 4 Replies
View Related
Mar 26, 2012
I have a internet router 2921 .my isp is providing 100 mbps internet link with static public ip network .I am using a default static route to the isp wan ip .I am planning to upgrade 100 mbps to 114 mbps .Unfortunately my isp doesnt have gig port in their side .So they are ready to provide two 57 mbps line .Isp agreed they will route my public ip networks in both the links .
As a result i have two 54 mbps link with same network with two wan networks .My question is whether two default static route to both wan ip will carry out the load sharing correctly ?
Eg :
172.24.66.0 255.255.255.252 -first link my fa0/1 172.24.66.1
172.24.66.4 255.255.255.252 -second link my fa0/2 172.24.66.5
ip route 0.0.0.0 0.0.0.0 172.24.66.2
ip route 0.0.0.0 0.0.0.0 172.24.66.6
View 12 Replies
View Related
Sep 13, 2011
We have an ASA5520 pair that we will be installing to load balance SSLVPN connections. Below is a portion of our configs pertaining to the VPN load-balancing feature (configured on both ASAs):My specific question is related to routing of return traffic to load-balanced VPN sessions. Is there some kind of persistence function that tells the return traffic which ASA to route back to? For instance, if ASA1 has a VPN connection having IP address 10.211.112.1 associated to it, and ASA2 has a VPN connection having IP address 10.211.112.100, how does the return traffic for each connection know which ASA to route back to?
View 1 Replies
View Related
Jan 28, 2012
I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centers with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
This is how I tried to distribute :
network. 10.1.0.0/23
gateway: 10.1.1.254
Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
As the user load balancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP load balancing and having full redundancy at the same time?
View 3 Replies
View Related
Jun 29, 2012
We have a quad port NIC on our Dell server.I want to take all 4 ports and plug it into our switch and have it all go to the same IP of the server and just have to share the data load in/out.Do I need to configure anything to do this?
View 6 Replies
View Related
Jul 25, 2011
We have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?
View 7 Replies
View Related
Oct 17, 2011
I have a ASA# here that refuses to load 8.x# code. I do not have an issue loading 7.x# code at all. When I power on the ASA# it does not pass the fsck#.
Loading /asa842-k8.bin#... Booting...Platform ASA5520# Loading...IO memory blocks requested from bigphys# 32bit#: 20848dosfsck# 2.11, 12 Mar 2005, FAT32#, LFN#
I have tried 8.0, 8.2, 8.3, 8.4 codes. I have also swapped RAM and flash.
View 5 Replies
View Related
