If you have two ISPs and you want to use the first one for outbound internet access for hosts on your inside network and use the second ISP for people on the internet to access your servers.
interface Ethernet0/0nameif outsidesecurity-level 0ip address 220.127.116.11 255.255.255.0 !interface Ethernet0/1nameif backupsecurity-level 0ip address 18.104.22.168 255.255.255.0 !interface Ethernet0/2nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0
interface Ethernet0/3nameif dmzsecurity-level 50ip address 172.16.1.1 255.255.255.0
global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0static (dmz,backup) 22.214.171.124 172.16.1.2 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 126.96.36.199 1route backup 0.0.0.0 0.0.0.0 188.8.131.52 2
It is possble put specific route rather than default for both the routes.
Nat is ok for (Inside,Outside) and (DMZ,Backup) ......u have to add specific route for accesing the backup link from DMZ or on the firewall.....thanks
We don't need and can't have a specific route as the source of inbound traffic can be anyone on the internet. The configuration is tested and it works fine. This is not my question but more of a sample configuration for anyone to use.
Wouldn't this load balance accross both thos equal cost routes? You would need some sort of PBR which I believe is not available (https://supportforums.cisco.com/docs/DOC-6069;jsessionid=8271C313440757D113FACC1737C6CABE.node0 ) else the packet would have issues on the other end becuase the remote firewall would send a SYN to ISP B's NATed Address and when the Server responds, it will be through ISP A's IP hence on the remote end would look like an out of state packet and would be dropped.
I could be wrong though.
The backup route has a higher metric so it will not show in the routing table. However it does exist in the 'topology table' in the ASA. Use ' sh asp table routing' to verify that.
When the SYN packet from client on internet hits the 'backup' interface of the ASA, it forwards that to the server in DMZ and builds a state/connection table for that. The return SYN-ACK packet from the server is routed based on the existing connection. This is when the 'backup' route with higher metric comes in play and the ASA forwards the packet to 184.108.40.206 device.
In short, this will only work for connections that are initiated from Internet destined to the backup interface subnet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: