https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644406#M593257 <HTML><HEAD></HEAD><BODY><P>I agree that your assumption is correct with one caveat, unicast RPF must be turned off.</P></BODY></HTML> Thu, 27 Jan 2011 19:35:40 GMT Collin Clark 2011-01-27T19:35:40Z https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644405#M593256 <P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/1/6/10616-Drawing1.jpg" alt="Drawing1.jpg" class="jive-image" /></P><P></P><P>Hello folks -</P><P></P><P>Here is an image describing my network topology. As indicated, we have two different ISP's for two different services we provide. Our customers have access to Database servers as well as FTP servers sitting in the DMZ. Customers are connecting over the Internet. ISP1 is supposed to be used for all outbound traffic for the database server, and ISP2 is supposed to be used for all outbound FTP traffic. The connection to both these servers is being intiated by the customers from outside. The firewall has a default route pointing to ISP1.</P><P><BR />Since ASA is a stateful firewall, I am assuming all connections coming over ISP2 into the DMZ will be routed back over the ISP2 connection, and not over to ISP1 since that is where the default route is pointing to. Therefore there should not be any assymetric routing that should occur.</P><P></P><P>Is my assumption correct?</P><P></P><P>Thanks for your help!</P> Mon, 11 Mar 2019 19:40:56 GMT https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644405#M593256 ksarin123_2 2019-03-11T19:40:56Z https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644406#M593257 <HTML><HEAD></HEAD><BODY><P>I agree that your assumption is correct with one caveat, unicast RPF must be turned off.</P></BODY></HTML> Thu, 27 Jan 2011 19:35:40 GMT https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644406#M593257 Collin Clark 2011-01-27T19:35:40Z https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644407#M593259 <HTML><HEAD></HEAD><BODY><P>Can you explain why unicast RPF must be turned off?</P></BODY></HTML> Thu, 27 Jan 2011 20:20:05 GMT https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644407#M593259 ksarin123_2 2011-01-27T20:20:05Z https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644408#M593260 <HTML><HEAD></HEAD><BODY><P>I have provided the option that you are looking for in this document:</P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-13015">https://supportforums.cisco.com/docs/DOC-13015/#Allowing_outbound_via_ISP1_and_inbound_via_ISP2</A></P><P></P><P>-KS</P></BODY></HTML> Fri, 28 Jan 2011 02:36:12 GMT https://community.cisco.com/t5/network-security/design-question-on-asa/m-p/1644408#M593260 Kureli Sankar 2011-01-28T02:36:12Z