10-04-2012 09:35 PM - edited 03-11-2019 05:04 PM
Hi there,
I'm using ASA 5520: ASA ver 8.4(4)1, ASDM ver 6.4(9), firewall mode: Routed.
There are 2 WAN Interfaces for this ASA: Port 0/3 named 100M; Port 0/0 named Outside.
One LAN interface is Port 0/1 (10.1.0.0/16) There are 2 groups of users, which can be diffentiate by their IP addresses.
UserGroup A: 10.1.6.0/24; UserGroup B is all other LAN users, 10.1.0.0/16, except 10.1.6.0/24.
I'd like to route the Internet traffic as below:
When A accesses Internet, traffic goes thru Port 0/3.
When B accesses Internet, traffic goes thru Port 0/1.
I can't set static-route by checking their source IP, I can't set policy based routing either.
How can this be achieved in my ASA5520?
Thanks,
Tony
10-04-2012 11:33 PM
Unfortunately this is not something that is supported on ASA firewall.
PBR is not supported on ASA.
Also, ASA can't have 2 default gateway configured on 2 interfaces.
10-05-2012 01:25 AM
Hi Jennifer,
Thanks for your reply.
Is there other method in ASA can achieve the same result? like NAT, others?
Does this mean wehave to use router to make it working?
Thanks,
Tony
10-05-2012 03:41 AM
Hi,
I guess you need to use a separate router to do the PBR on the basis of the public NAT IP address (and then choose the correct gateway) of the users or build something on the LAN side in the sameway
I guess you could also separate the users on different LAN networks and change the ASA to run in multiple context mode and create different firewall context for both LAN networks (I think every ASA has a license that permits 2 context (admin context isnt counted into this), you can check it with "show version" command). Then again this option would eliminate the use of VPN. (Though L2L VPN are supposedly coming available in multiple context mode later)
Something tells me though that the second option would simply mean too much work or if you are using VPN on the ASA it would mean you would need separate VPN device.
- Jouni
10-08-2012 08:16 PM
Hi All,
Thanks for your reply.
I think we got a solution, even though we are not sure whether it's a stable solution.
A new NAT is added to achieve the result:
nat (Inside,100M) source dynamic obj_10.1.6.0_24 interface destination static obj_any any
So far, it's working for us.
Have a nice day,
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide