Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4705
Views
16
Helpful
2
Replies

ASA 9.8 Policy Based Routing

Go to solution
l.buschi
Level 2
Level 2

‎06-29-2017 08:10 AM - edited ‎03-12-2019 02:38 AM

Hello,

I want to upgrade my asa to 9.8 version.

My company has two different ISP for internet access and I would like to use the first internet access for public services (email, FTP, and so on) with static public IP mapping.

The second SPI should be used by users to surf Internet.

Is it possible to implement such a solution?

Tks 

Johnny

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-29-2017 09:59 AM

Hi 

Yes this is possible. 

Let assume your inside interface is g0/0 and 200.1.1.1 is your isp router ip on the secondary link.

The default route will point to your primary isp link.

Then you need to configure acl, route-map and attach that to your inside interface: 

interface GigabitEthernet0/0
policy-route route-map pbr
!
access-list web extended permit tcp any any eq www

access-list web extended permit tcp any any eq https --> you can filter the source subnet. Here for example I've authorized any source to any destination to ports 80 and 443
!
route-map pbr permit 10
match ip address web
set ip next-hop 200.1.1.1

Hope that's clear enough. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-29-2017 09:59 AM

Hi 

Yes this is possible. 

Let assume your inside interface is g0/0 and 200.1.1.1 is your isp router ip on the secondary link.

The default route will point to your primary isp link.

Then you need to configure acl, route-map and attach that to your inside interface: 

interface GigabitEthernet0/0
policy-route route-map pbr
!
access-list web extended permit tcp any any eq www

access-list web extended permit tcp any any eq https --> you can filter the source subnet. Here for example I've authorized any source to any destination to ports 80 and 443
!
route-map pbr permit 10
match ip address web
set ip next-hop 200.1.1.1

Hope that's clear enough. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Suneel Kumar
Level 1
Level 1

‎06-30-2017 12:20 AM

Hi,

Plz find a link...may be useful...

www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card