ASA 5510 - Multiple Networks

devereauxj · ‎10-09-2013

Hi There,

I am looking to setup a Cisco ASA 5510 with 2 outside networks and 2 inside networks. I would like it setup so that Inside1 will only use the Outside1 connection and Inside2 will only use the Outside2 connection. There will be absolutely no routing of traffic outside of this. I assume that this is possible, but it would be great to have your confirmation. It would be great to know if there is anything I should watch out for when configuring this.

Thanks!

Julio Carvajal · ‎10-09-2013

Hello Jason,

What you are looking is known as Police-Based Routing which can be easily done on a Router (Route based on source IP addresses).

Unfortunetely this is not possible on the ASA plataform (Police-Based routing) and remember that on the ASA you can only have a route to "x" network.

So that being said if U know the destination addresses you want to send the traffic to via the right interfaces you will be good (Note that I said destination) but if you are trying to do it for all traffic (Internet) you will not be able to make it happen.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎10-09-2013

Hi,

Even though Policy Based Routing is not available on the ASA you can still use the NAT configurations to achieve what you mention. Even though the commands are simple to achieve this it will still mean that you will have to keep an eye on the order of NAT configuration a lot more than someone with a more usual setup.

To be even able to do this with NAT you would have to be running the new software levels 8.3+, preferably atleast some 8.4(x) software

So your options depends on the software your ASA is running.

- Jouni

Brett Verney · ‎10-09-2013

With the exception of the ASA 5510, the Cisco ASA's have a feature called 'Multi-Context Mode'. This mode allows an Administrator to 'partition' the firewall in to multiple virtual firewalls. There are certain limitations but this should give you what you are after. If you had an 'OUTSIDE' switch that connected the 2 x ASA subinterfaces as well as the 2 x next hop routers, you could have a seperate routing table (and seperate default gateway) for each network/context.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

Best Regards,

Brett

devereauxj · ‎10-10-2013

Ok, yes you guys are right. I didn't really think about the "Destination". Both Inside networks will be attempting to access the same Destinations and therefore will probably end up going out through the one Outside interface which I cannot have.

So it looks like I have these options:

I purchase a second ASA 5510 and use it for my Outside2, Inside 2 network
I purchase a ASA 5520 or higher and use Multi-Context Mode

I did find in this document though that I can purchase a Security Plus license for the ASA 5510 and have access to two Contexts. Is this correct?

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_contexts.html

But then there are unsupported features with Multiple Context Mode such as:

Unified Communications
QoS
Remote access VPN

So this means I am probably going to have to use a second device for what I am trying to achieve.

Are there any other things I need to be mindful of?