New to Cisco ASA in general. I'm replacing an aging, old, cheap firewall with some 5508s and I'm absolutely flummoxed on how to do this.
I have multiple ISPs coming in. Both are active. These ISPs are generally used for incoming connections only, and it's imperative that all return traffic for a given connection goes out the same interface that it was built on. Outgoing connections from the ASA to the internet can do whatever the ASA wants.
Thousands of locations may connect in over one or the other ISP. I can't provide routes for each one.
My previous firewall did this automatically, and I just set up default routes for each interface and assigned one as last resort. But that doesn't seem to be the case for the ASA. I set up default routes for each interface using different metrics, and only the lowest metric shows up in the sh route command.
Am I missing something obvious?
Not sure how to implement 'interface stickiness' on ASA.
A possible solution could be to NAT source addresses on each incoming interface to a unique address and just have two [or more] routes out the internet. However, NAT may be undesirable or could even break some apps.
You may look at this link that suggests switching off some of the security checks on Cisco Security Algorithm.
Interesting thought... NAT all source addresses to a common pool based on the interface, then somehow reverse it on the return path. I'll look into that.
Am I mistaken in that this is a common requirement? Is the ASA just not designed for multiple outside connections? Or is having asymmetrical routes just the thing to do? It seems to put a lot of additional bandwidth on the default interface.