topic Cisco ASA 5510 - Split connection: client on connection1 and ser in Network Security

Cisco ASA 5510 - Split connection: client on connection1 and server on connection2

e.irrera — Tue, 12 Mar 2019 03:38:50 GMT

I have a Cisco ASA 5510 configured in routed mode and i want to split internet traffic:
-client (192.168.42.0 255.255.255.128) on CONNECTION1
-server (192.168.42.224 255.255.255.224) on CONNECTION2
Is it possible with this configuration?
*
*
interface Ethernet0/0
nameif CONNECTION1
security-level 0
ip address 33.33.33.33 255.255.255.248
interface Ethernet0/1
nameif CONNECTION2
security-level 0
ip address 44.44.44.44 255.255.255.248
interface Ethernet0/2
nameif LAN
security-level 100
ip address 192.168.42.1 255.255.255.0
*
*
global (CONNECTION1) 2 interface
global (CONNECTION2) 1 interface
nat (LAN) 1 192.168.42.224 255.255.255.224
nat (LAN) 2 192.168.42.0 255.255.255.128
*
*
route CONNECTION1 192.168.42.0 255.255.255.128 33.33.33.33 2
route CONNECTION2 192.168.42.224 255.255.255.224 44.44.44.44 1

i need to know this befor buying the second connection!

Cisco ASA 5510 - Split connection: client on connection1 and ser

jshojayi — Thu, 06 Feb 2014 07:42:23 GMT

It looks like you must be running 8.2, based on those NAT statements. They look correct to me, but I haven't tested them out.

I don't think the route statements are correct, because an ASA can't route to itself.

Joe

Cisco ASA 5510 - Split connection: client on connection1 and ser

Jouni Forss — Thu, 06 Feb 2014 07:54:28 GMT

Hi,

The ASA in your situation will follow its routing table and it cant have 2 default route at the same time. There is some ways to use the NAT in the older software to split the traffic but its not really flexible. Flexible as in splitting all traffic from a single host to the specific ISP. (atleast to my undertanding)

The newer software levels (which you are not using) has possibilities to use the NAT to have one LAN/host use ISP-1 and one LAN/host use ISP-2. Depending how old your ASA5510 is this might mean a RAM upgrade to support the new software and would also mean that current ASAs configuration would need to be converted to the new software. If its a simple configuration then there should be no big problems.

Though I would imagine that this is not an officially supported way (using NAT) to doing this on the ASA even though the NAT operation is described in documentation clearly that it should follow this logic and enable using NAT to forward traffic where you want rather than where the routing table is showing. There are some problems in the newer softwares where this doesnt work at all. (Even though according to all documentation it should)

In the original ASA5500 Series this seems to work fine in the 8.4(x) software levels. Personally I have used 8.4(5) when I have labbed the setups.

- Jouni

Cisco ASA 5510 - Split connection: client on connection1 and ser

Marius Gunnerud — Thu, 06 Feb 2014 10:02:27 GMT

As Jouni said, you can't have two active default gateways on an ASA. But I am curious as to your routing statements. Was that just a quick copy paste? you would configure the route statements for which network you are trying to reach and which interface those networks are reachable through and the next hop IP you will send the traffic to.

But for your needs I would recommend having a router infront of the ASA that does all routing, PBR, QoS (if needed) etc. and then just use the ASA for traffic filtering. Ofcourse this is all subject to your budget.

--
Please remember to rate and select a correct answer