Policy based routing or NAT/PAT - Page 2

Roger Base · ‎02-11-2014

Hi Guys.

I cannot solve this by myself. So I wanna ask in this great forum.

My ASA firewall is connected to the VPN concentrator throug the ASA interface. I call the interface "DMZ". I have two insides interfaces and one interface to the internet on my ASA firewall. Right now I am routing all traffic going to 147.10.10.10 via my DMZ interface and to the VPN concentrator (with static route and with nat to the interface ip). Everything is nice until now. But now I want to make some expections for some IP clients in my inside vlans. For instance I want to 10.5.5.5 and 10.6.6.6 to use my internet interface instead of my DMZ interface when the destionation is 147.10.10.10. Is this possible??

Thx.

HW information:

ASA 5520 7.0.(4)

VPN Concentrator

Roger Base · ‎02-12-2014

Yes, That must be the conclusion. I will suggest a Cisco Router to complete this task or seperate destination IP address for those two hosts. Do you agree this?.

Jouni Forss · ‎02-12-2014

Hi,

I would personally go with a Router to handle the PBR as its something that is actually offically supported and commonly done. I feel at the moment that the ASA and its NAT is not something that would be good in a production environment as an upgrade or hardware change (to the new series) might mean that the NAT type "PBR" might suddenly break.

I for example currently have PBR on my LAN Router at home configured for my 2 PCs. My main PCs Internet traffic is forwarded through a 4G LTE connection as it provides around 50/20Mbps connection and my other computer uses the 10/1 ASDL.

I do hope that at some point the NAT operation gets sorted by Cisco as at the moment it seems to have quite a bit of oddities in its operation.

- Jouni