Showing results for 
Search instead for 
Did you mean: 


Alternative to PBR on ASA5510

We have an ASA5510 with a backup ISP connection protecting our corporate network.  I also have a mail server and I would like to route SMTP traffic over the backup network.  I realize that the ASA5510 does not support PBR, but I also know that I can use static NAT rules as a workaround to direct specific types of traffic over a particular interface (e.g. "static (outside,inside) tcp www www netmask" and "static (backup,inside) tcp smtp smtp netmask").

My question is, is it possible to use something similar to force a particular host to use a specific interface? I have tried to make this work on my own without success.  Is it even possible?

Everyone's tags (3)

Re: Alternative to PBR on ASA5510

AFAIK this should be possible.


Cisco Employee

Re: Alternative to PBR on ASA5510

Hi Jonathan,

If i understand correctly, you require that a particular host, use the backup ISP instead of the main one, while going out to the internet.

I don't think this would be possible, since the internal flow goes like this:

X: address in local LAN

Y: some address on the internet

Outside: Interface connected to main internet

Backup: Interface connected to backup internet

static (inside,Backup) X  OR nat (inside) and global(Backup) has been configured on ASA

Packet with source X and destination Y reaches inside interface of ASA

ASA does a route lookup for Y and sees that the main ISP default route has the least metric

Thus it decides that egress interface should be Outside.

So now, when looking for a NAT entry, it looks for a static(inside,Outside) or a matching global(Outside) and not for the static (inside,backup) or global (Backup) which we configured for it.

Thus its not possible to do a source based routing using static NAT. Destination based yes (as described in the smtp/www example in your post). Unfortunately not source based.

Hope this helps.


P.S.: Please mark the question as resolved if it has been answered. Do rate helpful posts. Thanks


Re: Alternative to PBR on ASA5510

Hi Shrikant,

Along with following commands:

static (outside,inside) tcp www www netmask

static (backup,inside) tcp smtp smtp netmask

If we have a rule to PAT all internet traffic for LAN users ( towards outside), do the second of above two statements will  still work?


Cisco Employee

Re: Alternative to PBR on ASA5510

Hi Abid,

For the second rule you would have to configure a PAT for the backup interface.

Both will still work together.

So let me go into a bit detail on how we read the static rules.

When you say static(X,Y) A B, it translates to:

When traffic destined to A comes on interface Y, translate A to B, and send packet off interface X.

So static (outside,inside) tcp www www netmask

means: When traffic destined to port 80 of any ip comes on interface inside, send it off outside interface with same ip.

This takes care of the nat of the destination ip. Similarly for smtp and the backup interface.

The nat (inside) x 0 0 and global (outside) x inerface take care of nat for the source ip.

So if you don't have a NAT rule for the source ip, for smtp traffic going off backup interface, then traffic would drop (if no matching global) or go out with a source in the private-ip range and get dropped somewhere (if no matching nat (inside) or static or anything).

Hope this helps.



Re: Alternative to PBR on ASA5510


we would like to do the same thing for smtp traffic, so we have tried a config similar to this:

“route outside x.x.x.x 1
route backup  y.y.y.y 2

nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface

static (outside,inside) tcp www www netmask
static (backup,inside) tcp smtp smtp netmask”

But nothing...

Smtp traffic go out using correct interface only changing default route priority...

Our version is 8.2.1.

Some other idea?