cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5838
Views
0
Helpful
6
Replies

asa 5510 with two outside interfaces

Antonio Brandao
Level 1
Level 1

Hi All,

Have a cisco asa 5510 and I´m trying managing my traffic on it.

I have two outside ports and one will be for internet traffic that comes from inside and other will be for email traffic that´s come from dmz.

I´m having problems now because I have only one default route going to outside1 and this way traffic from dmz is going to outside2 aswell.

Some idea how do it ?

AB

6 Replies 6

Hi,

The problem is the following...


The ASA only works with a single default gateway (can have more than one but cannot use them simultaneously).

So, if you have 1 default gateway out one interface and another default gateway out another interface, only one default gateway will work (the other will be backup).

You can send traffic to the Internet via a second interface (where the primary default gateway is not defined), if you specify the routes you want to reach out that interface.

Federico.

Kureli Sankar
Cisco Employee
Cisco Employee

Unfortunately the ASA cannot load balance between two diff. internet facing interfaces. You can only add one default route on the ASA. Neither can it to PBR (policy based routing).

I suggest that you get a layer 3 device on the outside to do PBR based on the source IP address that the ASA translates the inside addresses and the dmz server IP.

Read this thread:

https://supportforums.cisco.com/message/894920

-KS

fixitrodd
Level 1
Level 1

I know this is an old post  but I wanted to let people know it is possible but can't be done from the GUI.A few years back I call TAC. The tech said it was unsupported but he could help me out. I wanted all my outgoing http traffic to use one interface (internet) and everything else to use the other interface (also the internet). The http interface was also where all my incoming nat's were. It was a way of load balancing at the time for several reason.

I went back and looked at the backup from that time frame. We no longer have this setup or addresses but here are the lines I think that made it possible. If I missed something I appologize but hopefully it'll help spark the final result your looking for. Good Luck!

global (Outside) 101 interface
global (ComcastBroadband) 101 interface

route Outside 0.0.0.0 0.0.0.0 64.132.12.161 1
route ComcastBroadband 0.0.0.0 0.0.0.0 50.195.99.22 2

static (ComcastBroadband,Inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

Attaching my recent post to this. Im really stuck in this situation, will try out yours, or get a layer 3 unit.

----------

I've just started consolidation of a 5512x with one ISP and a 5550 with another ISP. The configuration is dumped on a 5555X with FW 9.2(3)4, which then will have 2 ISPs.

To make the migration day easy I want to use both ISPs for VPN/IPSec and internett traffic, both to and from the outside/inside. I thought there might be some functionality for this, but now Im not so sure. 

Previously I have had some experience using NAT to select the egress interface, but after learning that Cisco suddenly started to remove this functionality in some FW's I started using routing instead. But in the case of two ISPs, there will be two 0.0.0.0 routes, and I dont see how this could work. Also checked out the "track" funtion on routes, but this applies to a primary/secondary backup scenario.

The other posts on the subject are 2-3 years old, and Im wondering if someone can point in the right direction with the current FW releases and this scenario.

Thanx

Jon Are

Please rate as helpful, if that would be the case. Thanx

If you sent diffrent traffic each way it might work. But, you won't be able to use both for the same type of traffic. If you find a way let us all know :)

Installed two linux boxes with nginx webserver, inside ip's 10.0.1.46 and 47. did NAT to outside on ISP1 with the 10.0.1.46 and NAT to outside on ISP2 with the 10.0.1.47.

I can then access the 10.0.1.46 from outside with the NAT for ISP1

I cannot access the 10.0.1.47 from outside with the NAT for ISP2.

I guess this is because of the default route. This is I real bummer, and I cant understand that the NAT are ignored and the routing tabel decides the egress interface for the return traffic, even when the traffic are initiated from the outside on ISP2.

Correct me if Im wrong.

Update 18.12.15:

Im correcting myself, I had actually managed to disable the interface of ISP2 while testing the setup. The configuration above works as expected.

Please rate as helpful, if that would be the case. Thanx
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: