Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
0
Helpful
1
Replies

new ASA generation support PBR or no & ISPs links redundancy

Mohamed El-Ansary
Level 1
Level 1

‎06-10-2013 05:19 AM - edited ‎03-11-2019 06:55 PM

Please i need to know if the cisco ASA next generation specially ASA 5515X support PBR or no

If yes please tell me how to implement it , and if no then what is the solution here (any solution if possible please)??????

------------------------

Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation, please if yes provide me how to implement it or give me any configuration example.

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎06-10-2013 05:32 AM

Hi,

To my understanding there is still no official support for PBR on the ASA.

When I was at Cisco Live! 2013 London, they talked about PBR in one session and told it might be coming. On the other hand I heard from elsewhere that its not currently in the plans for ASA. I am not really sure what to believe.

To this date all the solutions related to dividing traffic between different ISP links has had something to do with NAT configurations on the ASA.

I have actually tested a setup on the original ASA5500 series devices with new software and have been able to select the outgoing interfaces of the traffic based on the source address using NAT. I have not implemented this in production environment as I dont know what will happen to it when I next upgrade the device maybe. I rather used methods that are officially supported than rig something to production network.

I am not sure exactly what kind of setup you are trying to implement. Using  a 2 ISP setup where only 1 ISP link is active at a time is pretty basic I suppose. There you track the main ISP link and when it fails you move traffic to use the Secondary ISP.

When we implement Dual ISP setups for our customers we naturally have both links connected to our network in separate parts of the core network. Therefore the customer can keep the same public IP address space through both links. Though naturally in these cases the routers in front of the ASAs handle the Primary and Secondary connection routing and not any Cisco firewall. I have never configured an 2 ISP solution using ASA directly in a production enviroment. Its always been handled by the routers in front of the ASA.

So to answer in short, you should be able to configure a Dual ISP setup where 1 of the links is Active on pretty much any ASA model. To my understanding the ASA5505 is perhaps the only limitation but I am not 100% sure.

Here is one (old) basic configuration guide for Dual ISP setup with PIX/ASA

Naturally the NAT configuration format is different but it doesnt really play a big role in this setup

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card