Showing results for 
Search instead for 
Did you mean: 

ASA routing based on Application Layer

Level 1
Level 1

Dear Support,


I have an ASA 5520 with two ISP connected two interfaces G1/1 and G1/2

I have several VLAN configured as well for example finance HR and Testing

I need to route traffic from VLAN to ISP based on the content for example if users in any VLAN are accessing facebook or Twitter they will go with ISP1 whereas if they are accessing youtube they will go with ISP2


Please advise if possible



5 Replies 5

The ASA can not route based on application-layer information. The ASA can do policy-based routing (PBR) with newer ASA software. There you could route based on Layer4-information like port numbers and also based on the source IPs. But that is not available for your legacy ASA.

What you can do: Assemble all IP networks of the destinations that you do not want to send traffic through the default route and do a static routing to the secondary ISP. That's all what is possible with your device.

ok is it possible that if I have two one interface ISP1 and ISP2 and one inside interface 

I have all the public IPs for example if user is surfing facebook he is going to X.X.X.X IP and Y.Y.Y.Y is youtube IP

So I need to do dynamic nat to the inside zone to both ISP1 and ISP2

nat (inside,ISP1) dynamic interface

nat (inside,ISP2) dynamic interface

and I need to implement static routing for example route X.X.X.X ISP1 IP and route Y.Y.Y.Y ISP2 IP


Please advise if wrong

Thats right, you need dynamic NAT for both outside interfaces. I would put them into section three of the rule table to have a more clearly organized NAT table:

nat (any,ISP1) after-auto source dynamic any interface
nat (any,ISP2) after-auto source dynamic any interface

For your routing you probably already have ya backup default route if the primary ISP fails:

route ISP1 Next-Hop-at-ISP1 
route ISP2 Next-Hop-at-ISP2 200

Just add your static routes for the secondary ISP:

route ISP2 Y.Y.Y.0 Next-Hop-at-ISP2

ok great 

what is the after auto command that you used in the two nat statements?


The NAT rules are organized in three sections. The dynamic NAT rule is in the last section and is only used if there is no more preferred rule in a section above. These are the sections:

  1. manual NAT / twice NAT
  2. object NAT / auto-NAT
  3. manual NAT / twice NAT *after* auto-NAT
Review Cisco Networking for a $25 gift card