08-18-2015 08:49 AM - edited 03-05-2019 02:05 AM
Hi All,
I have been trying to do something with an ASA which has me stumped!
We have a client who has two lines coming in, I shall refer to them as FTTC1 and FTTC2 to keep it simple. Both of these lines come into the ASA and FTTC1 is interface Outside1 and FTTC2 is Outside2 and the LAN comes in on interface Inside.
I have all of the traffic routing happily and working with NAT fine from the LAN, however, they have an RDS server which is on the address 192.168.10.7, we want to have this Server only go out via FTTC2. No matter what I do the server will only go out of Outside1 (FTTC1). Does anyone know a way of setting this up, I currently have NAT setup globally, do I want to change this to have the NAT setup in the object?
Thank you all for any help and sorry if this isn't clear, this is my first time working with an ASA and may not be explaining myself well. Below is some of what I have setup so far:
The external IP addresses for the ASA are the two routers we have on the end of the FTTC lines.
interface GigabitEthernet0/1
nameif OUTSIDE1
security-level 0
ip address 192.168.20.2 255.255.255.252
!
interface GigabitEthernet0/3
nameif OUTSIDE2
security-level 0
ip address 192.168.20.6 255.255.255.252
!
interface GigabitEthernet0/5
nameif INSIDE
security-level 100
ip address 192.168.10.254 255.255.255.0
!
same-security-traffic permit intra-interface
object network CLIENT_HOST_01
host 192.168.10.1
object network CLIENT_HOST_02
host 192.168.10.2
object network CLIENT_HOST_03
host 192.168.10.3
object network CLIENT_ADFS_04
host 192.168.10.4
description DOMAIN CONTROLLER FILE SERVER
object network CLIENT_SAGE_05
host 192.168.10.5
description SAGE SERVER
object network CLIENT_SQL_06
host 192.168.10.6
description SQL SERVER
object network CLIENT_RDS_07
host 192.168.10.7
description RDS SERVER
object network CLIENT_ADMIN_08
host 192.168.10.8
object network CLIENT_IP_RANGE
subnet 192.168.10.0 255.255.255.0
object network CLIENT_EXTERNAL_IP_1
host 192.168.20.1
object network CLIENT_EXTERNAL_IP_2
host 192.168.20.5
object service RDP
service tcp destination eq 3389
!
access-list LAN_TO_WAN extended permit ip object CLIENT_IP_RANGE any4
access-list LAN_TO_WAN extended permit ip any4 object CLIENT_IP_RANGE
access-list WAN_TO_LAN extended permit object-group RDS_PORTS_GROUP any object CLIENT_RDS_07
access-list RDS_TO_WAN standard permit host 192.168.10.7
!
nat (OUTSIDE2,INSIDE) source static CLIENT_EXTERNAL_IP_2 CLIENT_EXTERNAL_IP_2 destination static CLIENT_EXTERNAL_IP_2 CLIENT_RDS_07 service RDP RDP unidirectional no-proxy-arp
nat (INSIDE,OUTSIDE1) source dynamic any interface
nat (INSIDE,OUTSIDE2) source dynamic any interface
access-group WAN_TO_LAN in interface OUTSIDE1
access-group WAN_TO_LAN in interface OUTSIDE2
access-group LAN_TO_WAN in interface INSIDE
!
route OUTSIDE1 0.0.0.0 0.0.0.0 192.168.20.1 1
route OUTSIDE2 0.0.0.0 0.0.0.0 192.168.20.5 2
08-18-2015 09:41 AM
I have not used the feature on ASA yet but Cisco added the capability of Policy Based Routing in recent versions of ASA code and it seems that this would be the solution for your requirements.
HTH
Rick
08-18-2015 09:50 AM
Thank you for your response, I shall test this out and see if I can get that to work.
Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide