topic Hi Jouni, Thank you for in Network Security

ASA 5520 Source based Routing

Ajay Koorata — Tue, 12 Mar 2019 05:24:17 GMT

Hi Friends,

I am using an ASA 5520 (Software Version 7.0(8)) and having a challenge with routing.

I have 3 interfaces - Trust, Untrust and Untrust-1 with Security levels set to 100, 0 and 25 respectively. Trust is our LAN network, Untrust is connected to Internet and Untrust-1 is connected to our corporate office via Leased Line. The default route is pointed towards Untrust-1 and all LAN traffic (Trust) traverse via this link.

Now, certain users accessing specific application started complaining about slowness while they connect to a remote server and that traffic traverse via corporate office. So to isolate the connectivity b/w branch and corporate office, I was exploring options to directly route all the traffic from those machines via Untrust interface which is directly connected to Internet.

Hence need expert view regarding the same something similar to Source Based Routing.

Thanks in Advance

Ajay

Hi, Have you considered

Jouni Forss — Tue, 27 Jan 2015 11:55:07 GMT

Hi,

Have you considered changing the default route to point to the Untrust interface and having specific routes for the Untrust-1 interface?

Your software level is quite old. In the newer softwares you are able to (or atleast were previously able to) configure NAT so that it would act as Policy Based Routing as the NAT could override the routing table when choosing the egress interface for traffic. You could have a NAT configuration that would apply to your situation too (forward all traffic from certain hosts through a specific interface)

Have seen some similiar configurations in the older software levels (8.2 and below) but they are very limited in their possibilities. I am not even sure you can do anything with your current software level. ASA does not have any official Policy Based Routing capability.

- Jouni

Hi Jouni, Thanks for sharing

Ajay Koorata — Tue, 27 Jan 2015 12:51:44 GMT

Hi Jouni,

Thanks for sharing your thoughts ... IOS upgrade is in pipeline and will be doing that by next week. Meanwhile b/w on Untrust is limited compared to Untrust-1. Moreover this is a specific user-case wherein only 4 to 6 users are having the issue.

Also, appreciate if you could share more details on NAT solution mentioned above.

Thanks,

Ajay

Hi, Here is a link to an

Jouni Forss — Tue, 27 Jan 2015 13:08:22 GMT

Hi,

Here is a link to an older discussion related to similiar situation than yours. Or a discussion where I list a couple of example configurations.

https://supportforums.cisco.com/discussion/11892151/asa-nat-dual-uplinks-pbr

The problem with the NAT is that some software newer software levels don't seem to handle it the same way. I have used it succesfully on 8.4(5) and 9.1(1) software levels I think but some newer software levels it has not worked. I can probably test this on some of the newest software levels if there is need for anyone to get a confirmation if this works or not.

Naturally you will also have to consider if you were to go down this path that even if it did work there is no guarantee it would work after some update or there might perhaps be some unforseen problems.

But as I said this is only possible in a new software level.

I wrote a document in start of 2013 regarding the new NAT configuration format. Perhaps it might be of some help if you device to upgrade your ASA to the newer software levels (8.3 or above). Heres a link to the document:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

- Jouni

Hi Jouni, Thank you for

Ajay Koorata — Wed, 28 Jan 2015 07:48:25 GMT

Hi Jouni,

Thank you for sharing above info. Certainly it helps.