cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
805
Views
0
Helpful
4
Replies

Direct Internet Access

Suresh Varghese
Level 1
Level 1

Hi,

My network x.x.x.x/22 is basically connected to the data center over a point to point WAN link through routers.

One of my inside host x.x.x.150/22 require direct internet access as a part of business requirement.

I have a dedictaed 100Mbps ADSL line connected through my ASA5540 which is used by inside hosts for browsing purposes. This is zoned on my firewall.

The same firewall also has access to another ISP providing 2Mbps internet link connected to the outside interface of the firewall, but that is not being used much but only for backup purposes.

Can any one help me as to how i can provide direct internet access to this host x.x.x.150/22 to direct internet access.

Many thanks in advance.

regards

4 Replies 4

Ajay Saini
Cisco Employee
Cisco Employee

Assuming that the default gateway points to your 2 mbps line, there is no way we can configures source based routing on ASA. It is not supported on ASA.

You can change the default gateway to the 10 mbps DSL line and use 2mbps as your backup ISP as part of ISP failover.

But that would mean all traffic from inside will now flow through the 100 mbps line.

-

HTH

AJ

Actually,

Provided that you are running ASA software, preferably 8.4 - 9.1, then you can configure the NAT so that it chooses the eggress interface for certain traffic and therefore traffic gets routed using that eggress interfaces default route.

Naturally this is a bit "special" setup but traffic can be directed to different ISPs on a source host/network basis.

And naturally the overall setup of the network defines if this can be done or not.

- Jouni

Jouni,

What you are saying would hold true if the destination ip address is known. Source based routing would still not work on ASA.

I guess the requirement here is that they need to create a source based route since the destination is internet and not some well known address. So, anything coming from inside would go out through the defaukt gateway. The behavior you mentioned to allow ASA to decide egress interface and not doing a route lookup holds true for versions 8.2 and lower as well.

Hope I did not miss anything.

-

AJ

Hi,

I configured this on 9.1(1) and tested it out of interest when it was asked on the CSC previously

Here is a link to that discussion with the example configurations and "packet-tracer" output

https://supportforums.cisco.com/message/3910371

- Jouni

Review Cisco Networking for a $25 gift card