08-16-2015 11:25 AM - edited 03-11-2019 11:26 PM
Hi Everyone,
We have 2 ISP's and are using a Cisco ASA 5505, with Security Plus license. I know the ASA can do failover, but can I just route web traffic, like 80/443 out my second ISP, while the other one handles all other traffic?
I found earlier posts that said you could, pre 8.2, but those commands appear to be deprecated now. Those commands are below:
==========
"Now, if you does not want to configure ISP failback, but you need to route Web (port 80,443) traffic via ISP2 and all other traffic
via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.
Following are the commands which will achieve it-
route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443
sysopt noproxyarp inside
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there."
------------------------------
Are there new commands, post 8.2, that will accomplish this?
It's odd that the ASA can't do this, as a low end Sonicwall can accomplish what I am trying to do very easily.
Thanks for all your help!
Solved! Go to Solution.
08-17-2015 12:17 AM
Hi
Referencing release notes http://goo.gl/AvbiI8, PBR is supported on ASAs from 9.4.1.
You can check these examples of PBR on 9.4.x code :http://goo.gl/GSt5qv
Prior to 9.4, your nat statements should look like this:
object service www
service tcp source eq www
object service https
service tcp source eq https
nat (inside,ISP2) source static obj_any obj_any service www www
nat (inside,ISP2) source static obj_any obj_any service https https
*Global nat would be configured as shown :
nat (inside,ISP1) after-auto source dynamic any interface
nat (inside,ISP2) after-auto source dynamic any interface
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
08-17-2015 12:17 AM
Hi
Referencing release notes http://goo.gl/AvbiI8, PBR is supported on ASAs from 9.4.1.
You can check these examples of PBR on 9.4.x code :http://goo.gl/GSt5qv
Prior to 9.4, your nat statements should look like this:
object service www
service tcp source eq www
object service https
service tcp source eq https
nat (inside,ISP2) source static obj_any obj_any service www www
nat (inside,ISP2) source static obj_any obj_any service https https
*Global nat would be configured as shown :
nat (inside,ISP1) after-auto source dynamic any interface
nat (inside,ISP2) after-auto source dynamic any interface
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide