• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1604
  • Last Modified:

Cisco ASA - Multiple Inside and Outside Interface WAN Routing

I have a Cisco ASA firewall that's set up with an inside network, dmz network, and two outside networks. We have a track configured for internet failover for the zones outside (primary) and backup (secondary). We are going to be adding a new guest network, and would like that to by default route out the backup interface.

Is this actually possible, or does this qualify as Policy Based Routing? I thought this was possible with a new NAT ID and tweaking the corresponding NAT lines... like

nat (guest) 1 172.16.0.0 255.255.255.0
nat (inside) 2 0.0.0.0 0.0.0.0
global (backup) 1 interface
nat (outside) 2 interface

Would that work? I don't care about services, just the actual source of the traffic, and they will be completely separate interfaces.
0
InterWorks
Asked:
InterWorks
  • 2
  • 2
1 Solution
 
MikeKaneCommented:
Nope - its not going to work.  This policy based routing is beyond the ASA'a capabilities.  
0
 
InterWorksAuthor Commented:
That's very unfortunate.

I'm having trouble figuring out how to do this without the addition of an additional ASA. The inside default gateway is a Cisco Catalyst 3750, and the default route ends up being the ASA. I know I can configure PBR on the 3750, but I'd still end up needing to send the traffic somewhere, back to the ASA.

I made a typo on the above lines, it was supposed to be two nat lines, and two global lines. With a config like above, the NAT should apply, but it would just try to use the wrong addresses (from backup) on the default route (on outside)?

I know an easy fix is to setup PBR on the 3750, and add in a new firewall for that second guest internet line. Is there any way to leverage the existing hardware in my setup? It's more complex than I'm stating, but the details aren't very important.


0
 
MikeKaneCommented:
The issue with the ASA is that you can only have one catch all route for the outside interface.   That is why you can have a failover setup with 2 ISP's but you can't do load balancing.   It's just beyond what the ASA was designed to do.  

Just a thought...   if this is a guest network, does it need to go behind the ASA at all?   you could drop an AP in between the backup ISP link and the ASA to broadcast a wireless AP that would allow for 'guest' connections while, at the same time, not interfering with the ASA's backup ISP config....
0
 
InterWorksAuthor Commented:
It's behind the ASA based on the cabling & switch VLAN configuration right now. I think we're just going to toss another, possibly even home class, firewall to serve up that guest network on a different IP address.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now