Tuesday, March 20, 2018

Need to Route Guest Traffic Out Secondary ISP

Hello /r/networking. I have a question in regard to an ASA 5500 series that I'd like to get resolved.

Currently, we have dual ISPs connected to our head-end with IP SLA for redundancy. We also have a guest wireless subnet for visitors in our office to connect to in the event that they need internet access. There is an ACL in the way blocking traffic to get to resources it shouldn't be, but I'd like to expand this to a properly segmented guest network. This should include:

-Guest traffic leaving on the secondary ISP

-Proxying DNS and other services to something public, such as Google

-All traffic attempting to resolve to an internal host should go out the secondary circuit, resolve publicly, then come in on the primary w/ inspection to reach its destination

Where I'm having trouble is figuring out how to configure NAT/routing on the ASA to make this happen. We use PAT for internal hosts to get translated to a public IP on the primary circuit. How do I configure just the guest network VLAN to get NAT'd and routing out the secondary circuit at all times? It should be mentioned that the guest network VLAN's gateway resides on a downstream L3 switch. Would I also need to have the ASA seize the gateway to make that work? Are there any netsec benefits in doing so as well?

Thanks in advance.



No comments:

Post a Comment