Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
4
Replies

ASA 5505 interface based routing?

sgofferje
Level 1
Level 1

‎12-23-2014 02:29 PM - edited ‎03-11-2019 10:15 PM

Hi,

I got an ASA 5505 in my lab and got it working fine with one IP and various NAT and other scenarios (I'm currently refreshing my skills after a longer break on the job).

Now, from my ISP I can get up to 5 public IPs. However, those IPs are assigned via DHCP and they are pretty random and not all in the same subnet. For testing, I created an interface outside2 on e0/1 and connected that to one of the ports of the cable gateway. The interface does get an IP and INCOMING packets go to the right place via static PAT, BUT the replies don't arrive at the client. I strongly suspect that the ASA is sending the reply packets through the other public IP on outside (e0/0) which would make sense because that's where the default route points.

Is it possible to configure some kind of interface base routing, i.e. if a packet comes in via outside2, the corresponsing reply goes through outside2 and through the gateway outside2 receives via DHCP?

-Stefan

Labels:
0 Helpful
4 Replies 4

rvarelac
Level 7
Level 7

‎12-23-2014 08:10 PM

 

Hi sgofferje , 

 

Not sure , If I understand , but if you want to reply to the same interface you receive the traffic , you need a command on the ASA , this feature is called "U-Turn" and the command is "same-security-traffic permit intra-interface"

 

Hope it helps

- Randy - 

0 Helpful

Harvey Ortiz
Level 1
Level 1

‎12-30-2014 07:53 PM

Hi Stefan,

 

As I understand the traffic is coming in from outside2 going to a host-A behind the ASA.

Host-A will reply back, but this traffic will exit out through the outside 0/0 interface since there is where you have configured the default gateway.

In order to send the replies to client over outside2, you need to setup specific routes on the ASA through outside2 interface.

Also remember that ASA doesn´t support Policy Based Routing(PRB), because ASA routes the traffic based on destination:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_static.html#wp1121567

 

Harvey.

 

Please rate if this is the correct answer.

0 Helpful

sgofferje
Level 1
Level 1
In response to Harvey Ortiz

‎12-31-2014 07:49 AM

Hi Harvey,

thanks for your reply! Yes, your understood the scenario right. Configuring static routes wouldn't work here because the IP is assigned by the ISP through DHCP plus the host which I want to NAT behind outside2 should also be world-reachable.

So basically I would need to get either a bigger ASA which supports contexts or another 5505 to connect in parallel to the existing one for handling a separate public IP? Actually, it should be another 5505 then because multiple context mode doesn't support VPN...

-Stefan

0 Helpful

Harvey Ortiz
Level 1
Level 1
In response to sgofferje

‎12-31-2014 09:07 AM

Hi Stefan,

 

You are right, it will be required an ASA running multiple context or having another ASA.

I know that Routers support this feature.

The only option you could implement, would be to setup specific routes through outside2 interface towards the remote network or networks.

 

Regards,

Harvey.

 

Please rate if this is the correct answer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card