03-31-2011 02:43 PM - edited 03-11-2019 01:15 PM
We have an ASA5510 with a backup ISP connection protecting our corporate network. I also have a mail server and I would like to route SMTP traffic over the backup network. I realize that the ASA5510 does not support PBR, but I also know that I can use static NAT rules as a workaround to direct specific types of traffic over a particular interface (e.g. "static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0" and "static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0").
My question is, is it possible to use something similar to force a particular host to use a specific interface? I have tried to make this work on my own without success. Is it even possible?
04-01-2011 08:44 AM
AFAIK this should be possible.
HTH>
04-03-2011 05:26 PM
Hi Jonathan,
If i understand correctly, you require that a particular host, use the backup ISP instead of the main one, while going out to the internet.
I don't think this would be possible, since the internal flow goes like this:
X: address in local LAN
Y: some address on the internet
Outside: Interface connected to main internet
Backup: Interface connected to backup internet
static (inside,Backup)
Packet with source X and destination Y reaches inside interface of ASA
ASA does a route lookup for Y and sees that the main ISP default route has the least metric
Thus it decides that egress interface should be Outside.
So now, when looking for a NAT entry, it looks for a static(inside,Outside) or a matching global(Outside) and not for the static (inside,backup) or global (Backup) which we configured for it.
Thus its not possible to do a source based routing using static NAT. Destination based yes (as described in the smtp/www example in your post). Unfortunately not source based.
Hope this helps.
-Shrikant
P.S.: Please mark the question as resolved if it has been answered. Do rate helpful posts. Thanks
04-04-2011 12:37 AM
Hi Shrikant,
Along with following commands:
static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0
If we have a rule to PAT all internet traffic for LAN users ( towards outside), do the second of above two statements will still work?
Abid
04-04-2011 04:33 AM
Hi Abid,
For the second rule you would have to configure a PAT for the backup interface.
Both will still work together.
So let me go into a bit detail on how we read the static rules.
When you say static(X,Y) A B, it translates to:
When traffic destined to A comes on interface Y, translate A to B, and send packet off interface X.
So static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
means: When traffic destined to port 80 of any ip comes on interface inside, send it off outside interface with same ip.
This takes care of the nat of the destination ip. Similarly for smtp and the backup interface.
The nat (inside) x 0 0 and global (outside) x inerface take care of nat for the source ip.
So if you don't have a NAT rule for the source ip, for smtp traffic going off backup interface, then traffic would drop (if no matching global) or go out with a source in the private-ip range and get dropped somewhere (if no matching nat (inside) or static or anything).
Hope this helps.
-Shrikant
02-22-2013 06:02 AM
Hi,
we would like to do the same thing for smtp traffic, so we have tried a config similar to this:
“route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route backup 0.0.0.0 0.0.0.0 y.y.y.y 2
nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface
static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0”
But nothing...
Smtp traffic go out using correct interface only changing default route priority...
Our version is 8.2.1.
Some other idea?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide