02-26-2011 12:54 AM - edited 03-11-2019 12:57 PM
Could someone point me in the right direction and maybe provide a config example of how to setup an ASA with two Internet connections? We want to have the ability to send certain traffic over one connection (example http) and everything else over another. Is there a way to do this, and if so, an example config would be greatly appreciated. Thanks.
Sent from Cisco Technical Support iPhone App
02-26-2011 01:04 AM
Hello Craig
I'm sorry to inform you that this cannot be done on the ASA (at least in any straight forward way).
The ASA software does not support Policy-based Routing which is required to complete your requirement. However you can always configure multiple ISPs in an active-passive fashion; as described at the following link:
As a work-around in some scenarios you can run the ASA box in multiple context mode to achive similar requirements but that is not recommended due to various reasons (complexity, some features like dynamic routing/VPNs not working in virtual fw mode etc.)
Regards
Farrukh
02-26-2011 05:00 AM
Couldn't you use policy based NAT to NAT certain traffic out out a different interface?
Sent from Cisco Technical Support iPhone App
02-26-2011 07:58 AM
You can use policy-based NAT (it can also be on the same output interface depending on the exact requirement); but there will be no link reliability in this case. What happens when one link fails?
Regards
Farrukh
02-26-2011 01:24 PM
Reading the original request, It doesn't sound like failover or redundancy are important criteria in the scenario presented.
02-27-2011 05:28 AM
Yes, not concerned with failover/redundancy at this point. Can you tell me how I would configure the two static routes for each ISP? Thanks so much for your help.
Sent from Cisco Technical Support iPhone App
02-27-2011 05:38 AM
Hello Craig
This is why i mentioned in my initial post that you won't be able to meet your requirement because PBR is not supported on the ASA: the problem is that one can only configure default routes pointing out one interface on the ASA firewall (and not more); as mentioned in the config guide:
" When defining more than one default route, you must specify the same interface for each entry."
And as you know a default route is essential to route internet traffic. If you have any proxy server or router in the transit path; you can fulfull your requirement using those devices.
Regards
Farrukh
02-27-2011 09:29 AM
So what if I setup another default route with a higher metric and policy NATed the traffic I wanted out that new interface? Would that work? Thanks again!
Sent from Cisco Technical Support iPhone App
02-27-2011 11:26 AM
I'm sorry to tell you that will also not work, please see the next paragraph on the same link:
"If you attempt to define more than three equal cost default routes or a default route with a different interface than a previously defined default route, you receive the following message:
"ERROR: Cannot add route entry, possible conflict with existing routes."
"
Regards
Farrukh
02-27-2011 11:50 AM
But it is allowed if I setup route tracking via icmp?
Sent from Cisco Technical Support iPhone App
03-01-2011 03:56 PM
Stumbled upon this. Would this work?
https://supportforums.cisco.com/docs/DOC-6069
Sent from Cisco Technical Support iPhone App
03-05-2011 12:15 AM
I'm sorry for the late reply; that solution is definitely worth a try; even tough the solution is a little crude
Regards
Farrukh
03-08-2011 09:01 AM
When I made this change for port 80 traffic, I could see that it worked. However , it seemed to break internal web traffic between clients and an internal web server (both on the inside network not traversing the firewall). Could this be a proxy arp issue or an icmp redirect issue. The clients default gateway is a cisco router and this router's default gateway is the inside of the asa. The clients, internal web server, core router, and Asa inside interface are all on the same subnet.
Sent from Cisco Technical Support iPhone App
03-08-2011 10:42 AM
Hello
I doubt this is a proxy ARP issue as it is only supposed to kick in if you are trying to reach an IP address on another subnet and the router replies with his own MAC; it should not occur for traffic on the same subnet. Of course this could be due to mis-configured subnet mask(s) on one or more devices in the concerned network.
This can be easily verified by inspecting the ARP table of both client and server (web); e.g. on windows 'arp -a' will show this.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide