Two external interfaces; one to be used for outboud; second to be used for incoming VPN\Web traffic.

carlos.garza · ‎03-05-2015

I'm configuring our ASA and we have two AT&T circuits which we're only using one with our current Juniper firewall. I know the ASA doesn't support policy based routing so I'm wondering if the following hypothetical "config" is possible.

External Interfaces:

OUT_01 - 12.133.X.X

OUT_02 - 201.61.X.X

I would route all internal traffic to go out through OUT_01.

We have over 5 site-to-site VPN and 30 external facing servers. Could I use OUT_2 to configure all the inbound connections for the VPN and NAT rules?

Vibhor Amrodia · ‎03-09-2015

Hi,

I think you can use this requirement on the ASA device.

Check these references:-

http://www.shanekillen.com/2013/08/cisco-asa-load-balancing-with-dual-isp.html

https://supportforums.cisco.com/discussion/11031446/asa-5510-load-balancing-traffic-over-two-isps

https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa

Thanks and Regards,

Vibhor Amrodia

Marius Gunnerud · ‎03-09-2015

You can configure the ASA to allow asynchronous routing, as you are describing, by configuring TCP bypass.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

What this will do is you will still need to send traffic out one interface but the ASA will accept return traffic on either of the outside interfaces. Configuring this can be a security risk as the ASA will ignor the state table.

Or you could wait until ASA version 9.4 which will have support for PBR. Ofcourse this is the first version that will support it, so don't be suprised if it has a few bugs.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts