cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
299
Views
0
Helpful
1
Replies

ASA5505 - Route HTTP/HTTPS Traffic Out 2nd ISP

rbaran001
Level 1
Level 1

Hi Everyone,

 

We have 2 ISP's and are using a Cisco ASA 5505, with Security Plus license.  I know the ASA can do failover, but can I just route web traffic, like 80/443 out my second ISP, while the other one handles all other traffic?

 

I found earlier posts that said you could, pre 8.2, but those commands appear to be deprecated now.  Those commands are below:


==========

"Now, if you does not want to configure ISP failback, but you need  to route Web (port 80,443) traffic via ISP2 and all other traffic 
via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.

Following are the commands which will achieve it-

route ISP1 0 0 1.1.1.2  //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2  //Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there."

------------------------------

Are there new commands, post 8.2, that will accomplish this?

It's odd that the ASA can't do this, as a low end Sonicwall can accomplish what I am trying to do very easily.

 

Thanks for all your help!

1 Accepted Solution

Accepted Solutions

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi

Referencing release notes http://goo.gl/AvbiI8, PBR is supported on ASAs from 9.4.1.
You can check these examples of PBR on 9.4.x code :http://goo.gl/GSt5qv

Prior to 9.4, your nat statements should look like this:
object service www
 service tcp source eq www
object service https
 service tcp source eq https
nat (inside,ISP2) source static obj_any obj_any service www www
nat (inside,ISP2) source static obj_any obj_any service https https

*Global nat would be configured as shown :
nat (inside,ISP1) after-auto source dynamic any interface
nat (inside,ISP2) after-auto source dynamic any interface 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

1 Reply 1

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi

Referencing release notes http://goo.gl/AvbiI8, PBR is supported on ASAs from 9.4.1.
You can check these examples of PBR on 9.4.x code :http://goo.gl/GSt5qv

Prior to 9.4, your nat statements should look like this:
object service www
 service tcp source eq www
object service https
 service tcp source eq https
nat (inside,ISP2) source static obj_any obj_any service www www
nat (inside,ISP2) source static obj_any obj_any service https https

*Global nat would be configured as shown :
nat (inside,ISP1) after-auto source dynamic any interface
nat (inside,ISP2) after-auto source dynamic any interface 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Review Cisco Networking for a $25 gift card