Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
5
Replies

ASA routing based on Application Layer

tanios191
Level 1
Level 1

‎07-03-2018 12:16 AM - edited ‎03-05-2019 10:42 AM

Dear Support,

 

I have an ASA 5520 with two ISP connected two interfaces G1/1 and G1/2

I have several VLAN configured as well for example finance HR and Testing

I need to route traffic from VLAN to ISP based on the content for example if users in any VLAN are accessing facebook or Twitter they will go with ISP1 whereas if they are accessing youtube they will go with ISP2

 

Please advise if possible

 

Regards,

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎07-03-2018 02:13 AM

The ASA can not route based on application-layer information. The ASA can do policy-based routing (PBR) with newer ASA software. There you could route based on Layer4-information like port numbers and also based on the source IPs. But that is not available for your legacy ASA.

What you can do: Assemble all IP networks of the destinations that you do not want to send traffic through the default route and do a static routing to the secondary ISP. That's all what is possible with your device.

0 Helpful

tanios191
Level 1
Level 1
In response to Karsten Iwen

‎07-03-2018 06:34 AM

ok is it possible that if I have two one interface ISP1 and ISP2 and one inside interface 

I have all the public IPs for example if user is surfing facebook he is going to X.X.X.X IP and Y.Y.Y.Y is youtube IP

So I need to do dynamic nat to the inside zone to both ISP1 and ISP2

nat (inside,ISP1) dynamic interface

nat (inside,ISP2) dynamic interface

and I need to implement static routing for example route X.X.X.X ISP1 IP and route Y.Y.Y.Y ISP2 IP

 

Please advise if wrong

0 Helpful

Karsten Iwen
VIP
VIP
In response to tanios191

‎07-03-2018 06:41 AM

Thats right, you need dynamic NAT for both outside interfaces. I would put them into section three of the rule table to have a more clearly organized NAT table:

nat (any,ISP1) after-auto source dynamic any interface
nat (any,ISP2) after-auto source dynamic any interface

For your routing you probably already have ya backup default route if the primary ISP fails:

route ISP1 0.0.0.0 0.0.0.0 Next-Hop-at-ISP1 
route ISP2 0.0.0.0 0.0.0.0 Next-Hop-at-ISP2 200

Just add your static routes for the secondary ISP:

route ISP2 Y.Y.Y.0 255.255.255.0 Next-Hop-at-ISP2
0 Helpful

tanios191
Level 1
Level 1
In response to Karsten Iwen

‎07-03-2018 07:19 AM

ok great 

what is the after auto command that you used in the two nat statements?

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to tanios191

‎07-03-2018 07:22 AM

The NAT rules are organized in three sections. The dynamic NAT rule is in the last section and is only used if there is no more preferred rule in a section above. These are the sections:

  1. manual NAT / twice NAT
  2. object NAT / auto-NAT
  3. manual NAT / twice NAT *after* auto-NAT
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card