Configure Cisco ASA for two internet links

Hi,
for now I don't have complete information, but I would like so get some suggestions.
Costumer has single LAN subnet and two internet connections with two fixed IP addresses.
A couple of servers (5-10) uses Cisco ASA as gateway connected to first internet connection.
All other computers are configured via DHCP to use ISA server as gateway connected to second internet connection.

Now they want to retire ISA server and connect everything to Cisco ASA, but they want to maintain the same traffic flow - Servers should use first internet connection, client computers the second.
On both internet connections there are configured a couple of port forwardings.

Any suggestions about how the Cisco should be configured. One idea is to use additional two lan ports configured with IP addresses of ISA server. So Cisco would have two public IP addr. (different subnet) and two LAN IP addr. (same subnet), two NATs, ...

Thank you!
LVL 27
davorinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

agonza07Commented:
The ASA can't do PBR, but depending on what you use the servers for you might be able to use the workaround below, where you route based on ports.

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa
0
davorinAuthor Commented:
Sorry, as I suspected, the info I had was incomplete.
It is not Cisco ASA, but Cisco 892 with 15.1.1T IOS and it looks that it is a single internet connection with two IP addresses. It does support PBR, but I don't think that I need to use load balancing.

I'm thinking how to set everything as simple as possible. Probably using first internet connection (IP address) to access server services from internet (exchange server, web server,...) and second one for all other traffic would ease things a little bit.
0
agonza07Commented:
Yeah, PBR is the way to go then if you have an 892.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

davorinAuthor Commented:
I have prepared some configuration changes and I would like your opinion if I had done something wrong. Yes, I know, that you cannot be 100% sure without the whole configuration.
Where is question mark, I'm not sure whether to use that option.
1.2.3.4 is secondary external IP address.

Add static NAT rules:
ip nat inside source static tcp 192.168.1.199 21 1.2.3.4 21 (extendable?)
ip nat inside source static tcp 192.168.1.193 3343 1.2.3.4 3343  (extendable?)
ip nat inside source static tcp 192.168.1.197 3337 1.2.3.4 3389  (extendable?)
(existing NAT rules use "interface fastethernet8" instead of primary external IP address)

Add secondary IP address on external interface fastethernet8:
ip address 1.2.3.4 255.255.0.0 secondary

Add ACLs for PBR:
ip access-list ext ACL_PBR1
permit tcp any any eq 21
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any range 60000 60003

ip access-list ext ACL_PBR2
permit tcp any any
permit ip any any

Add route-map for PBR:
route-map PBR1 permit 100
match ip address ACL_PBR1
set ip next-hop 1.2.3.1 (GW of secondary external IP address)

route-map PBR1 permit 200
match ip address ACL_PBR2
set ip next-hop 1.1.1.1 (GW of primary external IP address, all other traffic from LAN should go thru this GW)

Set route-map on internal interface VLAN1
ip policy route-map PBR1
ip route-cache policy (?)

Remove defoult route: ip route 0.0.0.0 ....

Thx!
0
agonza07Commented:
You'll have to try it out, but I did a quick scan on your config and looks right.
0
davorinAuthor Commented:
PBR is not working  properly, but I will try to resolve the problem when I will have a little more time. I probably will open a new question. Thank you for now!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.