Thanks Marcin. They are static site to site. So I will just put the endpoint IPs in my routing. What happens though to the servers that have outside IP addresses through ISP1? Could their be any issues there? I want them to keep those static IPs so should their traffic route always through ISP1?

-Chris

That would not have any problem with the default route pointing towards ISP1.

Pls. refer this link I have suggested this as an option: https://supportforums.cisco.com/docs/DOC-13015/#Allowing_internet_access_via_ISP1_and_L2L_vpn_via_ISP2

Allow internet access outbound and inbound via ISP1 with the default  route pointing to ISP1 and VPN site to site tunnels can be terminated on  the ISP2 interface by configuring specific routes to reach peer  networks via IPS2.

-KS

I have tried to follow those instrucitons, but every time I implement it the users lose all internet access. Here is my setup:

ASA 5510 - > Cisco 1721 ->Serial0 ->T1 Internet

                                      ->FastEthernet1 -> Cable Internet

ASA

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

Router

Current configuration : 1579 bytes
!
version 12.4
!
interface FastEthernet0
description Connection to Firewall
ip address ISP1
ip policy route-map PBR_LAN
speed auto
!
interface FastEthernet1
description Comcast
switchport access vlan 1001
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface Serial0
description Internet connection
ip address T1Address

service-module t1 timeslots 1-24
!
interface Vlan1001
description ComcastVlan
ip address COMCAST WAN

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 T1Address
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
!
ip access-list extended Comcast
permit tcp any any eq www
deny   ip any any

route-map PBR_LAN permit 10
match ip address Comcast
set ip next-hop ISP Gateway

!

Any help would be greatly appreciated! I know i can't assign an IP to an interface on the ESW4 card so I created a Vlan, but the result should be the same?

Thanks!

www will work only when you get name resolution.  That happens via udp 53 so, when you are only allowing tcp 80 udp 53 will fail

ip access-list extended Comcast
permit tcp any any eq www

permit udp any any eq 53---------------> add this.
deny   ip any any

You need to add dns as well.

-KS

Thanks. That still didn't work.... so I even switch the www to handle just ftp and I am using just the ip address to take DNS out of it, and it isn't working.

I can see that it is hitting the access list. Could it be something with the NATing?

Here is a crude picture of what we have going on.

I have no idea what the problem is. You said acl has hit counts so, why don't you specify the source IP that you are expecting to see instead of "any" in the acl.  You know what IP address the ASA is support to translate the packet to right? Use that IP as the source in your route-map acl. Let us see if you see hit counts.  If you do then the packet is reaching the router and we can investigate what happens to the packet once the router receives it.

ip access-list extended Comcast
permit tcp host x.x.x.x any eq www   -----> change the any to the ASA's outside IP address.

-KS

So I changed the access-list to reflect the specific host. Here is my result from show access-list Test

    120 permit tcp host 99.99.99.98 any eq ftp (11 matches)
    130 deny ip any any (3976 matches)

I still cannot get onto ftp. As soon as I delete that line, it works going out through my OLD ISP. I am wondering do I need to add an extra level of NATing either on the cable modem or the router? Or do I need to tell the ASA to NAT a different address for the traffic I want to go over the Comcast ISP?

Thanks!

I think you should change the tcp to ip.

120 permit ip host 99.99.99.98 any  (11 matches)
    130 deny ip any any (3976 matches)

-KS

That didn't work either...

When you say it didn't work either, what do you mean?

You do hit counts for the permit ip x.x.x.x line? So packets are coming from the ASA with that IP address and where does the router send them?

Would you be able to open a TAC case so, we can do a "debug ip packet detail" for a particular access-list with that x.x.x.x ip from and to to see where the packets are going?

-KS