mattpayne59
asked on
Cisco ASA Routing Question - Can traffic be routed out multiple ASA interfaces?
I want to do something that sounds relatively simple but when I try to actually do it, I cant get it to work. I have a Cisco ASA5510 with 3 possible interfaces. Right now I have one interface connected to a CIsco 1720 router which then goes to an Internet T1. A second interface is being used for my internal network. I am going to be introducing a Comcast cable line into the mix as well. Now, I would like all traffic going through the cable modem to also be protected by the Cisco ASA so I was going to add this as a third interface. I also have a product called Surfcontrol which will only monitor 1 port supposedly which is another reason all traffic must get passed through the ASA.
Now, from the internal network which is 192.168.1.0/24, I want one IP address to use the cable modem exclusively for Internet and I want all of the remaining IP addresses to use the T1. I tried to configure this for a while and I could not get it to work and then I called Cisco support and they told me I would need to get a router with 3 interfaces to put in front of the ASA for this to work. I am not even sure how that would work. Anyone have experience/suggestions on how to get this to work? Can it be done with just the ASA? Thank you for the help!
Now, from the internal network which is 192.168.1.0/24, I want one IP address to use the cable modem exclusively for Internet and I want all of the remaining IP addresses to use the T1. I tried to configure this for a while and I could not get it to work and then I called Cisco support and they told me I would need to get a router with 3 interfaces to put in front of the ASA for this to work. I am not even sure how that would work. Anyone have experience/suggestions on how to get this to work? Can it be done with just the ASA? Thank you for the help!
You can use the ISP redundancy feature offered by the ASA. It was recently introduced
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
ASKER
If this can work with the cable modem connected to the ASA5510, that is ideal. I did not know you could do PBR on the ASA... Are there any configuration examples you have?
As far as the backup ISP link, I know all about this but that is a failover. I need to route certain traffic to the second ISP all of the time, not when the first link goes down.
As far as the backup ISP link, I know all about this but that is a failover. I need to route certain traffic to the second ISP all of the time, not when the first link goes down.
Nopes, you can NAT on different interfaces and specify particular global groups but I haven't seen PBR on the ASA/PIX
ASKER
Would the NAT on different interfaces allow me to do what I want to do? So basically I have my T1 interface 1.1.1.1 and my router is 1.1.1.2. Then I have my cable interface which is 10.1.10.2 and the cable modem is 10.1.10.1. I have an internal network that is 192.168.1.0. My default route points all traffic is 1.1.1.2. I want only 192.168.1.13 to route out the cable to 10.1.10.2. Can I accomplish this with an ASA?
Give it a try and see if it directs the traffic sourced from 192.168.1.13 to the appropriate interface.
Simply create another NAT/GLOBAL group and check it out
Simply create another NAT/GLOBAL group and check it out
ASKER
That is what I tried before to get it to work and it did not seem to. It still wanted to go out the T1. Anyone ever actually done anything like this with an ASA?
The only way to accomplish this task is to buy a context license for the ASA and run multiple contents on the chassis. The problem is that you can't have two default routes.
ASKER
So there is no way to have a route just for the one ip address? Looks like context licenses are extremely expensive. What about other ways to get this done? Anyone have any creative ideas?
buy a cheap router to sit in the middle of the firewall and the internet. Any cheap cisco router (like a 2nd hand 2611XM) can do PBR in its base image itself
ASKER
I currently have a Cisco 1720 as my Internet router. Since that has two WIC slots, would it be possible to get a WIC-1ENET and use that to connect off to the cable modem? This router would then have the T1 interface WIC, the WIC above for cable and then the current Ethernet port for the internal network which would not change. Does this router even support PBR? I think it will if I upgrade the IOS but I do not see anything definitive. Will this work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is an old post. However, for the sake of users viewing this, Microsoft TMG 2010 supports this functionality.
Here's how I implemented it:
http://robsilver.org/isatmg/isp-redundancy-made-easy/
Hope this helps,
Here's how I implemented it:
http://robsilver.org/isatmg/isp-redundancy-made-easy/
Hope this helps,
Here's a link to Cisco as an overview of PBR:
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html