09-29-2010 02:09 AM - edited 03-04-2019 09:56 AM
Hey All,
Is it possible to set the default route on an asa to something different for one particular IP address?
so everyone uses the route outside 0.0.0.0 0.0.0.0 1.2.3.4
and a particular ip (192.168.1.10) uses a different default gateway?
hope that makes sense
if thats not possible is it possible to set a defult route for a destination port i.e anything using port 443 goes to another defined route.
09-29-2010 02:53 AM
Hi,
Default route is kind of static route where we have very few options to work with
however your requirement can be fulfilled with PBR (policy based routing)
like one below
route-map TEST permit 10
match ip address 101
set ip next-hop A.B.C.D
access-list 101 permit ip host 192.168.1.10 any
int fa0/0
ip policy route-map TEST
Here you create IP access list and match source IP. call that in route map with match and set statement and then apply that route map
to an interface.
please note that there are many options available after match and set statement. You can use it as per youre requirement
hope this helps
Regards
Mahesh
09-29-2010 02:59 AM
Thanks for the reply but cisco asa does not support PBR
09-29-2010 05:18 AM
No, unfortunately that is not a supported configuration on ASA firewall.
09-29-2010 06:29 AM
Jenifer, I see you have a cisco icon on your profile so assuming you work for them I have read that PBR is something that will feature very soon? do you know anything about that?
for now i am going to try the following based on web traffic to go over your primary ISP link (x.x.x.x) and mail (smtp) traffic to go over the backup link (y.y.y.y)
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route backup 0.0.0.0 0.0.0.0 y.y.y.y 2
nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface
static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0
hopefully it will work
09-29-2010 06:37 AM
Well, unfortunately you also can't configure 2 default gateway going out through 2 different interfaces. This is not a support configuration.
I haven't seen PBR on ASA on the roadmap, but I could be wrong.
09-30-2010 03:47 AM
so just incase anyone is interested my that configuation worked perfectly.
The only thing to point out is if your going to go this method, forget about inbound nat as source address will come in one interface and try go back out the default gateway
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide