ASA 5515 second outside interface

mrochac — Tue, 12 Mar 2019 09:26:27 GMT

Good day all, can someone advise what is the best way to go about setting up a second outside interface on ASA - reason behind is that we're trying to have a security alarm system have a dedicated internet feed, having 2 disabled interface on our ASA i figure i could bring one up and setup some sort of static NAT from Security system to internet.

Security alarm system is on its own subnet 192.168.7.x /24 and vlan of course - i want traffic from a specific IP to go out this new outside interface. Any help would be greatly appreciated, ACL and NAT info.

Hi,

willwetherman — Tue, 30 May 2017 20:34:47 GMT

Hi,

This can be achieved by using Policy Based Routing that is available in ASA version 9.4 and later.

Example configuration

interface GigabitEthernet0/2

description ***New Outside Interface***

nameif outside2

security-level 0

ip address x.x.x.x

object network security-system

subnet 192.168.7.0 255.255.255.0

nat (inside,outside2) source dynamic security-system interface

access-list acl-security-system permit 192.168.7.0 255.255.255.0

route-map policy-route permit 10

match ip address security-system

set ip next-hop x.x.x.x <----- IP address of new outside2 interface gateway

interface GigabitEthernet0/1

description ***Inside Interface***

nameif inside

security-level 100

ip address x.x.x.x

policy-route route-map policy-route

You can find further details of PBR in the following document as well as some additional example configs.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

I hope that this helps

topic ASA 5515 second outside interface in Network Security

ASA 5515 second outside interface

Hi,