Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
4
Replies

Generic firewall route and interface reporting

rwakagabo
Level 1
Level 1

‎02-12-2018 12:50 AM - edited ‎02-21-2020 07:20 AM

hello Team

 

can any one help on the configuration that match my final expectation, i have 2 outside interface on the ASA 5520 (outside and outside2), the default route goes to outside interface.

in my LAN i have 2 different IP range(X.X.X.X/24 and Y.Y.Y.Y/24 ), i want 1 range (X.X.X.X/24) to continue use the default route outside, then other range Y.Y.Y.Y/24 to use 2nd outside interface outside2. 

I tried PBR but not supported on the ASA, 

any other trick of configuration that can reach my expectation ??

 

i attached a sample diagram for your reference.

 

Thanks

 

 

 

Labels:
Preview file
296 KB
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎02-12-2018 01:18 AM

One the posts is below wherein this was achieved by someone by playing around with destination NAT to force traffic out the second ISP and it worked for them. Not an ideal solution but it worked for them. After looking at the logic, it seems as a legit workaround(try at your own risk and in a downtime):

 

https://supportforums.cisco.com/t5/firewalling/pbr-on-cisco-asa/m-p/3327268#M166236

 

HTH

AJ

0 Helpful

Karsten Iwen
VIP
VIP

‎02-12-2018 02:00 AM

Then mentioned NAT-solution can work, but in my eyes it's a terrible hack and should only be used if there is no other way. The "right" way would be to replace the legacy ASA (wich is End of life soon) with an actual ASA-X model where PBR is a supported and working feature. Another way is to keep the two internet-lines in a primary/backup way for outgoing traffic. The NAT solution will add an unnecessary complexity to your config; and complexity is one of the main adversaries of security.

0 Helpful

rwakagabo
Level 1
Level 1
In response to Karsten Iwen

‎02-12-2018 02:08 AM

Thank you for replies.

 

but apart from the nat solution, there is no other way on the 5500 ASA legacy, as i am not planning to change to new ASA 5500-X in few years.

 

regards,

 

Janvier R.

0 Helpful

Karsten Iwen
VIP
VIP
In response to rwakagabo

‎02-12-2018 02:16 AM

If both local subnet have a different behavior to which destinations they connect, you can use traditional routing to route the traffic to the other line. But that's pretty much all you can do.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card