InterWorks
asked on
Cisco ASA - Multiple Inside and Outside Interface WAN Routing
I have a Cisco ASA firewall that's set up with an inside network, dmz network, and two outside networks. We have a track configured for internet failover for the zones outside (primary) and backup (secondary). We are going to be adding a new guest network, and would like that to by default route out the backup interface.
Is this actually possible, or does this qualify as Policy Based Routing? I thought this was possible with a new NAT ID and tweaking the corresponding NAT lines... like
nat (guest) 1 172.16.0.0 255.255.255.0
nat (inside) 2 0.0.0.0 0.0.0.0
global (backup) 1 interface
nat (outside) 2 interface
Would that work? I don't care about services, just the actual source of the traffic, and they will be completely separate interfaces.
Is this actually possible, or does this qualify as Policy Based Routing? I thought this was possible with a new NAT ID and tweaking the corresponding NAT lines... like
nat (guest) 1 172.16.0.0 255.255.255.0
nat (inside) 2 0.0.0.0 0.0.0.0
global (backup) 1 interface
nat (outside) 2 interface
Would that work? I don't care about services, just the actual source of the traffic, and they will be completely separate interfaces.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The issue with the ASA is that you can only have one catch all route for the outside interface. That is why you can have a failover setup with 2 ISP's but you can't do load balancing. It's just beyond what the ASA was designed to do.
Just a thought... if this is a guest network, does it need to go behind the ASA at all? you could drop an AP in between the backup ISP link and the ASA to broadcast a wireless AP that would allow for 'guest' connections while, at the same time, not interfering with the ASA's backup ISP config....
Just a thought... if this is a guest network, does it need to go behind the ASA at all? you could drop an AP in between the backup ISP link and the ASA to broadcast a wireless AP that would allow for 'guest' connections while, at the same time, not interfering with the ASA's backup ISP config....
ASKER
It's behind the ASA based on the cabling & switch VLAN configuration right now. I think we're just going to toss another, possibly even home class, firewall to serve up that guest network on a different IP address.
ASKER
I'm having trouble figuring out how to do this without the addition of an additional ASA. The inside default gateway is a Cisco Catalyst 3750, and the default route ends up being the ASA. I know I can configure PBR on the 3750, but I'd still end up needing to send the traffic somewhere, back to the ASA.
I made a typo on the above lines, it was supposed to be two nat lines, and two global lines. With a config like above, the NAT should apply, but it would just try to use the wrong addresses (from backup) on the default route (on outside)?
I know an easy fix is to setup PBR on the 3750, and add in a new firewall for that second guest internet line. Is there any way to leverage the existing hardware in my setup? It's more complex than I'm stating, but the details aren't very important.