cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
196
Views
10
Helpful
8
Replies
zolfaghar
Beginner

ASA 5540 with multiple outside

Hi there,

We have ASA 5540 that must route two ISPs with different NATed addresses for each ISP.

ISP selection is based on source IP addresses. I can use a router for the purpose of  choosing outside. but I don't know why only one outgoing line is active! I think that routing to router does not function properly but I don't know why?!

(Rational Topology is attached)

I will appreciate if someone can help me or recommend an other solution for this problem.

Sincerely 

8 REPLIES 8
Karsten Iwen
VIP Mentor

In your situation I would do the NAT on the router and not on the ASA. That is the "logical" NAT-point where you change from private to public addressing.

Dear Karsten,

Thanks for your reply, 

Before extending to second ISP, we have a lot of NAT and ACL rules that I prefer not to migrate to router (Before second ISP being raised up, Router has not been used and now I think that it should be applied for doing such routing).

Thanks 

Then: do you really need that router? If the ISPs connect through Ethernet, then you could eliminate that router completely and connect directly to the ISP-equipment on the ASA.

can you explain more, please...

While I testing such condition, all traffic goes from one ISP out.

(1- proxy arp must be disabled for both inside & outside interfaces or not?

2- Can I do with ASA's routemap only?)

Regards

for my last answer I imagined to late that you are running a legacy ASA which can not do Policy-Based-Routing (PBR). With that you really have to use the router for PBR.

How is PBR configured on the router to send traffic out of the right ISP?

ASA version is 8.4(1) [having Route Maps option in outing section] and my new Router (model:7206vxr) configuration including PBR is attached.

please remove the config and replace it with one that doesn't has passwords in it ...

Not important. IPs are not real addresses. BTW, I do it.