I am setting up an ASA5515 to replace an existing Linux based firewall.
Unfortunately the ASA5515 does not support source based routing.
I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.
I have the default route to Internet connection 1.
I want to route smtp out the second Internet connection.
The routers connecting to the internet are a 877 and an 878
The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
Would you have any better suggestion or an alternative suggestion or any suggestion on how this could be achieved.
Thank you for any assistance.
I would say that the best choice is to handle the PBR on the device that officially supports it. So your best bet would be use an actual router to do the job.
Though the ASA gives some options on it to direct certain traffic towards different egress interfaces. Though depending on software levels this has been seen acting a bit different for no apparent reason.
For example if we considered an ASA to have WAN-1 and WAN-2 links on it with default routes configured and also a LAN link.
Then you could probably forward SMTP traffic out from WAN-2 with a following configuration
object service SMTP
service tcp destination eq 25
object network LAN
subnet 10.10.10.0 255.255.255.0
nat (LAN,WAN-2) source dynamic LAN interface service SMTP SMTP
Though naturally the setup can be different.
With certain NAT configurations its also possible to choose the egress interface for all traffic source from certain networks.
But as I have said before, at this point I rather leave any kind of PBR to the Cisco routers in production environment. I do still like to play around with these kind of special setups when I run into them here on the CSC.
would I be able to achieve the PBR using the 2 existing routers ? (878 and 877)
or would I have to replace this with one router establishing both internet connections ?
Any suggestion or example would be good.
Thank you ... Don