Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
0
Helpful
3
Replies

Multiple Public IP's on single ASA 5510 - "Segment Traffic"

Nick C.
Level 1
Level 1

‎08-08-2013 02:00 PM - edited ‎03-11-2019 07:23 PM

Hello,

I was told this is not possible on Cisco ASA, just wondering if its true.

Description:   We are setting up 2 new exchange servers, they need to go out the same ASA on different interfaces to seperate Public IP's. We also have a 3rd Public IP for our Staff.

Basically we want our Staff to use the 10x5 slow internet connection (Public 3). We want Server 1 to use Public IP 1 and Server 2 Public IP 2.

Server 1  -----> Public IP 1

Server 2  -----> Public IP 2

Staff       ------> Public IP 3

I was told PBR (Policy Based Routing) is not supported on Cisco ASA, which I understand. But is there a work around with the ASA, or will I HAVE to implement a layer 3 device infront of the ASA?

We also have a DMZ in the mix, I dont know if that changes anything.

I hope this makes sense, if not I can try and explain more, but any advice would be greatly appreciated! I dont want to expense another layer 3 device if possible!

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎08-08-2013 02:20 PM

Hi,

So you are saying that the ASA would have 3 different WAN interfaces?

There is no official support on the ASA for PBR but you might be able to use NAT configurations to direct certain traffic out a particular WAN interface. The NAT configuration would handle choosing the egress interface and you could have default route for each WAN interface though only one of them would be "normally" active. So in your case the primary default route should be for the WAN interface that is used by most local users.

To be able to even configure something like this I think you will  need to have 8.4 - 9.1 software level on the ASA.

- Jouni

0 Helpful

Nick C.
Level 1
Level 1
In response to Jouni Forss

‎08-08-2013 02:28 PM

Thank you for your input Jouni.  We are running 8.4 IOS on the ASA.     I was thinking the same thing, however the TAC engineer helping me did not agree (probably because its not offically supported).  I certainly appreciate your feedback, though.

-Nick C.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Nick C.

‎08-08-2013 02:36 PM

Hi,

Here is a link to another discussion where a user wanted to direct a certain DMZ network traffic through another ISP

https://supportforums.cisco.com/thread/2209874

Naturally the NAT setup doesnt exactly match with your need but essentially in your case it would just slightly modifying the NAT configurations.

Naturally this is not something that is really suggestable for a production environment but it should work. Then again as Cisco doesnt officially support it there is no knowing what future updates might do to this or what would happen if you ran into problem with NAT related operation of the firewall.

Because of this way of NAT configuration the configurations would naturally come more complex and the ordering of NAT rules might need more close look when modifying them.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card