Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
2
Replies

Source routing work around needed with ASA5515

DON BROWN
Level 1
Level 1

‎06-11-2013 01:25 AM - edited ‎03-11-2019 06:55 PM

I am setting up an ASA5515 to replace an existing Linux based firewall. 

Unfortunately the ASA5515 does not support source based routing.

I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.

I have the default route to Internet connection 1.

I want to route smtp out the second Internet connection.

The routers connecting to the internet are a 877 and an 878

The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.

Would you have any better suggestion or an alternative suggestion or any suggestion on how this could be achieved.

Thank you for any assistance.

Don

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎06-11-2013 01:35 AM

Hi,

I would say that the best choice is to handle the PBR on the device that officially supports it. So your best bet would be use an actual router to do the job.

Though the ASA gives some options on it to direct certain traffic towards different egress interfaces. Though depending on software levels this has been seen acting a bit different for no apparent reason.

For example if we considered an ASA to have WAN-1 and WAN-2 links on it with default routes configured and also a LAN link.

Then you could probably forward SMTP traffic out from WAN-2 with a following configuration

object service SMTP

service tcp destination eq 25

object network LAN

subnet 10.10.10.0 255.255.255.0

nat (LAN,WAN-2) source dynamic LAN interface service SMTP SMTP

Though naturally the setup can be different.

  • Have more source networks that it applies to
  • Have more interfaces that it applies to
  • Be a Static type NAT
  • Use some other public IP address than the "interface"

With certain NAT configurations its also possible to choose the egress interface for all traffic source from certain networks.

But as I have said before, at this point I rather leave any kind of PBR to the Cisco routers in production environment. I do still like to play around with these kind of special setups when I run into them here on the CSC.

- Jouni

0 Helpful

DON BROWN
Level 1
Level 1
In response to Jouni Forss

‎06-11-2013 04:19 AM

Hello Jouni,

would I be able to achieve the PBR using the 2 existing routers ? (878 and 877)

or would I have to replace this with one router establishing both internet connections ?

Any suggestion or example would be good.

Thank you ... Don

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card