Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
3
Replies

Can the ASA5510 be configured to use 2 outside interfaces without redundancy or failover?

nw6605872
Level 1
Level 1

‎02-13-2013 04:27 PM - edited ‎03-11-2019 06:00 PM

I am trying to determine if this is possible or not.  I have tried several configurations and I can only get half of it to work.

LAN (10.1.1.0/24) =====>                      <===== OUTSIDE (T-1)

                                           ASA5510

DMZ (10.1.10.0/29) ====>                      <===== BACKUP (DSL LINE)

The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.
The backup interface routes to the internet via a DSL modem, it normally is not active.
The outside interface routes to the internet via a T-1 line.
The inside interface is our local LAN and the DMZ has our email server on it.
I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line.  No inside traffic (inbound or outbound) should go through the T-1.  No DMZ traffic (inbound or outbound) should go through the DSL line.

I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.

I am not looking for redundancy or failover protection.

Labels:
0 Helpful
3 Replies 3

Andrew Phirsov
Level 7
Level 7

‎02-13-2013 10:14 PM

ASA doesn't support PBR as all ISRs do, so it's not easy thing to do what you want.

Probably it'll work if you have two default routes with better metric for LAN. To direct DMZ traffic to T1 (wich metric is worse) you can use static (twice) nat and in that case traffic will probably be directed to T1.

Other option is to use multiple context mode.

0 Helpful

nw6605872
Level 1
Level 1
In response to Andrew Phirsov

‎02-15-2013 03:54 PM

Thank you for your quick reply.  I am starting to agree with you that this will not work very well.  I cannot use multiple contexts because we also need the VPN to work.  Could you please clarify your statement about using "static(twice) nat".  I think I know what you mean, but I want to be sure.  A command example would be very helpful to see if it is something I already tried.  I may just have to create a DMZ to the T-1 with one of the linux servers and just use the ASA for the DSL line and inside.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to nw6605872

‎02-15-2013 10:24 PM 

Could you please clarify your statement about using "static(twice) nat"

No, I thing it's not an option after all. Routing desigion are made before nat, so I don't think it'll work.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card