Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
6
Replies

ASA: default routing with two ISP's

Guennadi Roussak
Level 1
Level 1

‎09-17-2008 01:31 PM - edited ‎02-21-2020 03:00 AM

We have two areas of public IP addresses. Both are configured in the ASA5510 (7.2.4, failover A/S, functions: VPN-Server, VPN L2L, SSL-VPN, Firewall, NAT)):

interface Ethernet0/0.100

description ### Path A ###

vlan 100

nameif outside-1

security-level 0

ip address 100.100.100.1 255.255.255.248 standby 100.100.100.2

!

interface Ethernet0/0.200

description ### Path B ###

vlan 200

nameif outside-2

security-level 10

ip address 200.200.200.1 255.255.255.248 standby 200.200.200.2

In DMZ we have two Server with NAT-requirement:

static (dmz,outside-1) 192.168.1.1 100.100.100.3 netmask 255.255.255.255 !--- NAT for Host-A

static (dmz,outside-2) 192.168.1.2 200.200.200.3 netmask 255.255.255.255 !--- NAT for Host-B

Default Route:

route outside-1 0.0.0.0 0.0.0.0 100.100.100.6

ASA communicates with the ISP-Router which is configured with both IP addresses - 100.100.100.6/29 and 200.200.200.6/29, through the Switch:

interface FastEthernet0/2

description ### Link to ISP-Router.100 ###

switchport access vlan 100

!

interface FastEthernet0/2

description ### Link to ISP-Router.200 ###

switchport access vlan 200

!

interface FastEthernet0/3

description ### Trunk to ASA ###

switchport trunk encapsulation dot1q

switchport mode trunk

How I can make Host B choose Path B without defining explicit target in the Routing. So much I know, ASA does not support the ASA PBR.

Does somebody have (or other) idea?

0 Helpful
6 Replies 6

hemen.goradia
Level 1
Level 1

‎09-18-2008 03:39 AM

You can try route-map and define policy accordingly.

Which IOS version of ASA you are running? i have tried this in 7.1 and 8.0

Hemen

0 Helpful

Guennadi Roussak
Level 1
Level 1
In response to hemen.goradia

‎09-18-2008 01:40 PM

ASA Version 7.2(4)

0 Helpful

jcosgrove
Level 1
Level 1

‎09-18-2008 09:51 AM

You can use the ASA to take care of the NAT for ISP A and ISP B to a single defaute route on the outside interface. Then in your ISP border router use policy based routing to decide what IP's have what next hop.

0 Helpful

Guennadi Roussak
Level 1
Level 1
In response to jcosgrove

‎09-18-2008 01:54 PM

Host-A --> 2.2.2.2

Host-A --> ASA dmz --> default route: outside-1 --> NAT (dmz,outside-1) --> outside-1 --> ISP Router.100 --> Internet cloud --> 2.2.2.2

Host-B --> 2.2.2.2

Host-A --> ASA dmz --> default route: outside-1 --> NAT ??? --> drop packet.

0 Helpful

mzik
Level 1
Level 1

‎03-19-2009 09:32 AM

Can you try adding the following line to the ASA?

route outside-2 0.0.0.0 0.0.0.0 200.200.200.6 200

Mirek

0 Helpful

isa-aston-03
Level 1
Level 1
In response to mzik

‎08-20-2009 01:18 AM

I have a similar problem. did you ever get a working solution to this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card