https://community.cisco.com/t5/network-security/add-second-wan-link-to-pix-515ur/m-p/1744204#M534238 <HTML><HEAD></HEAD><BODY><P>As far as i know unfortunately this won't work. The problem is that external traffic coming from the internet would indeed go to the mail server. But when the mail server sends it traffic back to the ASA the ASA looks up the route and sees a default-route to the primary ISP going out of the outside interface. It then looks for a static NAT command for the mail server but it would be looking for a static (inside,outside) ... command because the route points out of the outside interface. </P><P></P><P>But you actually want to go via the outside2 interface. But you have no route pointing out of that interface. And you can't simply add another default-route. Unless you know the mail servers that would connect to your mail server so you could add host specific routes to your firewall going via the outside2 interface it won't be achievable.</P><P></P><P>You really need PBR because in effect you are trying to route the mail server traffic from your mail server based on source IP and unfortunately the ASA firewalls do not support PBR.</P><P></P><P>Jon</P></BODY></HTML> Thu, 04 Aug 2011 14:31:08 GMT Jon Marshall 2011-08-04T14:31:08Z https://community.cisco.com/t5/network-security/add-second-wan-link-to-pix-515ur/m-p/1744203#M534236 <P>Hi all...I have a PIX 515 with 6 interfaces.</P><P></P><P>My goal is NOT to have redundant ISPs.&nbsp; My initial goal is to provide a 2nd public IP address that can receive email in the event that my primary WAN link goes down.</P><P></P><P>So far, this is what I have.</P><P></P><P>interface ethernet5 auto<BR />nameif ethernet5 outside2 security0<BR />ip address outside2 64.xx.xx.xx 255.255.255.248<BR />no failover ip address outside2<BR />access-group 31 in interface outside2</P><P></P><P><BR />access-list 31 permit tcp any host 64.xx.xx.xx eq smtp<BR />static (inside,outside2) tcp 64.xx.xx.xx smtp 172.X.x.x smtp netmask 255.255.255.255 0 0</P><P></P><P>The static statement shouls nat my 2nd public IP to my internal mail gateway.&nbsp; I have the 2nd isp cable attached to the PIX and the PIX can ping the ip 64.x.x.x and its gateway...But telnetting using port 25 to the public ip address does not work.</P><P></P><P>Any ideas?</P> Mon, 11 Mar 2019 21:07:39 GMT https://community.cisco.com/t5/network-security/add-second-wan-link-to-pix-515ur/m-p/1744203#M534236 bfpnetworking 2019-03-11T21:07:39Z https://community.cisco.com/t5/network-security/add-second-wan-link-to-pix-515ur/m-p/1744204#M534238 <HTML><HEAD></HEAD><BODY><P>As far as i know unfortunately this won't work. The problem is that external traffic coming from the internet would indeed go to the mail server. But when the mail server sends it traffic back to the ASA the ASA looks up the route and sees a default-route to the primary ISP going out of the outside interface. It then looks for a static NAT command for the mail server but it would be looking for a static (inside,outside) ... command because the route points out of the outside interface. </P><P></P><P>But you actually want to go via the outside2 interface. But you have no route pointing out of that interface. And you can't simply add another default-route. Unless you know the mail servers that would connect to your mail server so you could add host specific routes to your firewall going via the outside2 interface it won't be achievable.</P><P></P><P>You really need PBR because in effect you are trying to route the mail server traffic from your mail server based on source IP and unfortunately the ASA firewalls do not support PBR.</P><P></P><P>Jon</P></BODY></HTML> Thu, 04 Aug 2011 14:31:08 GMT https://community.cisco.com/t5/network-security/add-second-wan-link-to-pix-515ur/m-p/1744204#M534238 Jon Marshall 2011-08-04T14:31:08Z