I have an interesting problem that I think can be solved with the correct configuration, but I'm missing something and I'm not entirely sure what it is.
We have a Cisco ASA 5510, with two internal VLANs assigned to its internal interface -- our LAN and a second VLAN for guest wireless users. Both VLANs connect internally through a Barracuda web filter, and both VLANs use the same internal equipment (access points, switches, etc.)
Our guest wireless is consuming too much of our general Internet bandwidth, so we have procured a cable modem circuit for that traffic and connected it into the ASA as a second WAN interface. Wa also have a DMZ set aside on this ASA, so the ASA has its 4 ports assigned as follows:
E0/0: LAN (plugged into a Barracuda web filter)
E0/0.1: Guest VLAN (see E0/0)
E0/1: WAN1 (ISP #1)
E0/3: WAN2 (ISP #2)
I was hoping that setting up a second WAN would be as simple as a routing statement and static NAT for that guest VLAN, but unfortunately it doesn't seem to be. What I would like to have in terms of NAT and routing is:
LAN --> Internet routes through WAN1
Guest VLAN --> Internet routes through WAN2
No inbound static NATs are needed on the Guest VLAN or WAN2; this is simply for general Internet browsing.
So far, I've tried creating a separate default route, which seems to only serve as a backup route and not as a primary one. I've also tried setting dynamic PAT from the Guest VLAN to WAN2, with no luck either.
So, this leads to 2 questions:
1. Can this be done on the ASA? I'm not concerned about load balancing or failover, just the ability to direct traffic from one VLAN out a specific ISP.
2. If not, how can I make this work? Do I need to add a small, cheap NAT firewall into the equation for the guest VLAN to use as its gateway instead?
As usual, thanks for the advice and assistance.