Multiple active ISPs, routing responses to incoming traffic out same interface
New to Cisco ASA in general. I'm replacing an aging, old, cheap firewall with some 5508s and I'm absolutely flummoxed on how to do this.
I have multiple ISPs coming in. Both are active. These ISPs are generally used for incoming connections only, and it's imperative that all return traffic for a given connection goes out the same interface that it was built on. Outgoing connections from the ASA to the internet can do whatever the ASA wants.
Thousands of locations may connect in over one or the other ISP. I can't provide routes for each one.
My previous firewall did this automatically, and I just set up default routes for each interface and assigned one as last resort. But that doesn't seem to be the case for the ASA. I set up default routes for each interface using different metrics, and only the lowest metric shows up in the sh route command.
Not sure how to implement 'interface stickiness' on ASA.
A possible solution could be to NAT source addresses on each incoming interface to a unique address and just have two [or more] routes out the internet. However, NAT may be undesirable or could even break some apps.
You may look at this link that suggests switching off some of the security checks on Cisco Security Algorithm.
Interesting thought... NAT all source addresses to a common pool based on the interface, then somehow reverse it on the return path. I'll look into that.
Am I mistaken in that this is a common requirement? Is the ASA just not designed for multiple outside connections? Or is having asymmetrical routes just the thing to do? It seems to put a lot of additional bandwidth on the default interface.
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats...
Community Live- Smart Licensing Using Policy (Routing) – A Simplified Licensing Approach
(Live event - Tuesday, 18 May, 2021 at 9:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)
This event will have place on Tuesday 18th, May 2021 at 9:00 hrs PDT&nb...
Welcome to the overview guide that covers the latest in Cisco Networking and Data Center innovations and new product introductions. You'll find information on Intent Based Networking updates, special promotions and free trials, as well as exclusive upcom...
Listen: https://smarturl.it/CCRS8E13 99% of organizations use certifications to make hiring decisions. The reason is simple: Cisco certifications bring valuable, measurable rewards to certified IT professionals and the organizations that employ them....
Cisco AI Endpoint Analytics – Deployment guide
This deployment guide is meant for Cisco AI Endpoint Analytics adoption for customers, partners and everyone focusing on Endpoint Visibility and to how achieve it with Endpoint Analytics. It has sections that...