Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
4
Replies

Direct Internet Access

Suresh Varghese
Level 1
Level 1

‎04-25-2013 03:20 AM - edited ‎03-11-2019 06:34 PM

Hi,

My network x.x.x.x/22 is basically connected to the data center over a point to point WAN link through routers.

One of my inside host x.x.x.150/22 require direct internet access as a part of business requirement.

I have a dedictaed 100Mbps ADSL line connected through my ASA5540 which is used by inside hosts for browsing purposes. This is zoned on my firewall.

The same firewall also has access to another ISP providing 2Mbps internet link connected to the outside interface of the firewall, but that is not being used much but only for backup purposes.

Can any one help me as to how i can provide direct internet access to this host x.x.x.150/22 to direct internet access.

Many thanks in advance.

regards

Labels:
0 Helpful
4 Replies 4

Ajay Saini
Cisco Employee
Cisco Employee

‎04-30-2013 08:38 PM

Assuming that the default gateway points to your 2 mbps line, there is no way we can configures source based routing on ASA. It is not supported on ASA.

You can change the default gateway to the 10 mbps DSL line and use 2mbps as your backup ISP as part of ISP failover.

But that would mean all traffic from inside will now flow through the 100 mbps line.

-

HTH

AJ

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Ajay Saini

‎04-30-2013 08:51 PM

Actually,

Provided that you are running ASA software, preferably 8.4 - 9.1, then you can configure the NAT so that it chooses the eggress interface for certain traffic and therefore traffic gets routed using that eggress interfaces default route.

Naturally this is a bit "special" setup but traffic can be directed to different ISPs on a source host/network basis.

And naturally the overall setup of the network defines if this can be done or not.

- Jouni

0 Helpful

Ajay Saini
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎04-30-2013 08:59 PM

Jouni,

What you are saying would hold true if the destination ip address is known. Source based routing would still not work on ASA.

I guess the requirement here is that they need to create a source based route since the destination is internet and not some well known address. So, anything coming from inside would go out through the defaukt gateway. The behavior you mentioned to allow ASA to decide egress interface and not doing a route lookup holds true for versions 8.2 and lower as well.

Hope I did not miss anything.

-

AJ

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Ajay Saini

‎04-30-2013 09:03 PM

Hi,

I configured this on 9.1(1) and tested it out of interest when it was asked on the CSC previously

Here is a link to that discussion with the example configurations and "packet-tracer" output

https://supportforums.cisco.com/message/3910371

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card