ASA 5510, forcing an inside interface to go out the backup ISP link?

abrrymnvette · ‎11-13-2012

We have a 5510 and I have a second ISP setup for a backup link. We have 4 ports connected to 4 different internal subnets. I want to force one of the ports to use the backup ISP link at all times. I'm having a little problem with where I need to make the changes in my ASA.

Interface "outside" is my main ISP

Interface "building3" is my backup ISP.

I want to force the "Guest" network to use the "building3" link for all traffic.

Here's a snippet of my config

global (outside) 10 interface

global (building3) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 10 0.0.0.0 0.0.0.0

nat (Guest) 10 0.0.0.0 0.0.0.0

access-group inbound in interface outside

access-group Guest_access_in in interface Vendor

access-group building3_access_in in interface building3

route outside 0.0.0.0 0.0.0.0 64.1.2.3 1

route inside 10.10.200.0 255.255.255.0 10.10.200.224 1

Do I need to change the global pool or create a new one? I have a couple free public IP addresess on the building3 subnet I can use for a pool.

Abzal · ‎11-13-2012

Hi,

As far I know ASA 5510 doesn't support PBR(Policy based routing). For this you need L3 switch or router.

You can use second ISP as backup.

ASA ------ Router |----- ISP1

|----- ISP2

Have a look on this link

https://supportforums.cisco.com/thread/2050087

Please rate helpful post.

Best regards,
Abzal

abrrymnvette · ‎11-13-2012

I'm not really wanting to load balance I don't think. I want interface 1 to go out interface 2. Then have interface 3 go out interface 4. If that makes sense.

Interface 1 = LAN

Interface 2 = ISP1

Interface 3 = Guest LAN

Interface 4 = ISP2