cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1750
Views
10
Helpful
5
Replies

Alternative to PBR on ASA5510

jonathan
Level 1
Level 1

We have an ASA5510 with a backup ISP connection protecting our corporate network.  I also have a mail server and I would like to route SMTP traffic over the backup network.  I realize that the ASA5510 does not support PBR, but I also know that I can use static NAT rules as a workaround to direct specific types of traffic over a particular interface (e.g. "static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0" and "static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0").

My question is, is it possible to use something similar to force a particular host to use a specific interface? I have tried to make this work on my own without success.  Is it even possible?

5 Replies 5

andrew.prince
Level 10
Level 10

AFAIK this should be possible.

HTH>

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Jonathan,

If i understand correctly, you require that a particular host, use the backup ISP instead of the main one, while going out to the internet.

I don't think this would be possible, since the internal flow goes like this:

X: address in local LAN

Y: some address on the internet

Outside: Interface connected to main internet

Backup: Interface connected to backup internet

static (inside,Backup) X  OR nat (inside) and global(Backup) has been configured on ASA

Packet with source X and destination Y reaches inside interface of ASA

ASA does a route lookup for Y and sees that the main ISP default route has the least metric

Thus it decides that egress interface should be Outside.

So now, when looking for a NAT entry, it looks for a static(inside,Outside) or a matching global(Outside) and not for the static (inside,backup) or global (Backup) which we configured for it.

Thus its not possible to do a source based routing using static NAT. Destination based yes (as described in the smtp/www example in your post). Unfortunately not source based.

Hope this helps.

-Shrikant

P.S.: Please mark the question as resolved if it has been answered. Do rate helpful posts. Thanks

Hi Shrikant,

Along with following commands:

static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0

If we have a rule to PAT all internet traffic for LAN users ( towards outside), do the second of above two statements will  still work?

Abid

Hi Abid,

For the second rule you would have to configure a PAT for the backup interface.

Both will still work together.

So let me go into a bit detail on how we read the static rules.

When you say static(X,Y) A B, it translates to:

When traffic destined to A comes on interface Y, translate A to B, and send packet off interface X.

So static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

means: When traffic destined to port 80 of any ip comes on interface inside, send it off outside interface with same ip.

This takes care of the nat of the destination ip. Similarly for smtp and the backup interface.

The nat (inside) x 0 0 and global (outside) x inerface take care of nat for the source ip.

So if you don't have a NAT rule for the source ip, for smtp traffic going off backup interface, then traffic would drop (if no matching global) or go out with a source in the private-ip range and get dropped somewhere (if no matching nat (inside) or static or anything).

Hope this helps.

-Shrikant

Hi,

we would like to do the same thing for smtp traffic, so we have tried a config similar to this:

“route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route backup 0.0.0.0 0.0.0.0  y.y.y.y 2

nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface

static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0”

But nothing...

Smtp traffic go out using correct interface only changing default route priority...

Our version is 8.2.1.

Some other idea?

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: