Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
4
Replies

Help: How to choose egress interface by the internal source IP in ASA5520?

hamster66
Level 1
Level 1

‎10-04-2012 09:35 PM - edited ‎03-11-2019 05:04 PM

Hi there,

I'm using ASA 5520: ASA ver 8.4(4)1, ASDM ver 6.4(9), firewall mode: Routed.

There are 2 WAN Interfaces for this ASA: Port 0/3 named 100M; Port 0/0 named Outside.

One LAN interface is Port 0/1 (10.1.0.0/16) There are 2 groups of users, which can be diffentiate by their IP addresses.

UserGroup A: 10.1.6.0/24; UserGroup B is all other LAN users, 10.1.0.0/16, except 10.1.6.0/24.

I'd like to route the Internet traffic as below:

When A accesses Internet, traffic goes thru Port 0/3.

When B accesses Internet, traffic goes thru Port 0/1.

I can't set static-route by checking their source IP, I can't set policy based routing either.

How can this be achieved in my ASA5520?

Thanks,

Tony

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-04-2012 11:33 PM

Unfortunately this is not something that is supported on ASA firewall.

PBR is not supported on ASA.

Also, ASA can't have 2 default gateway configured on 2 interfaces.

0 Helpful

hamster66
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 01:25 AM

Hi Jennifer,

Thanks for your reply.

Is there other method in ASA can achieve the same result? like NAT, others?

Does this mean wehave to use router to make it working?

Thanks,

Tony

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to hamster66

‎10-05-2012 03:41 AM

Hi,

I guess you need to use a separate router to do the PBR on the basis of the public NAT IP address (and then choose the correct gateway) of the users or build something on the LAN side in the sameway

I guess you could also separate the users on different LAN networks and change the ASA to run in multiple context mode and create different firewall context for both LAN networks (I think every ASA has a license that permits 2 context (admin context isnt counted into this), you can check it with "show version" command). Then again this option would eliminate the use of VPN. (Though L2L VPN are supposedly coming available in multiple context mode later)

Something tells me though that the second option would simply mean too much work or if you are using VPN on the ASA it would mean you would need separate VPN device.

- Jouni

0 Helpful

hamster66
Level 1
Level 1
In response to Jouni Forss

‎10-08-2012 08:16 PM

Hi All,

Thanks for your reply.

I think we got a solution, even though we are not sure whether it's a stable solution.

A new NAT is added to achieve the result:

      nat (Inside,100M) source dynamic obj_10.1.6.0_24 interface destination static obj_any any

So far, it's working for us.

Have a nice day,

Tony

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card