Jeremy Weisinger
asked on
ASA PBR workaround
ASA has 2 ISP connections. Primary and failover. I'm trying to NAT an IP on the failover connection for SSH traffic to an internal device on the LAN.
I can never bring up the connection and I presume it is just routing it over the primary connection. I see that PBR is available on 9.4 but we're running 9.3 right now.
Is there any workaround for this?
Thanks!
Jeremy
I can never bring up the connection and I presume it is just routing it over the primary connection. I see that PBR is available on 9.4 but we're running 9.3 right now.
Is there any workaround for this?
Thanks!
Jeremy
It's a little known fact that if you have two interfaces in 'Standby ISP' on an ASA, You can use the secondary interface for traffic that is sourced from OUTSIDE the ASA.
This would seem to be exactly what you want? But it will only work with a static PAT (port forward) from the secondary interface, to an internal host.
ie
object network Internal_SSH_Server
host 192.168.1.10
nat (inside,secondary) static interface service tcp ssh ssh
access-list inbound_secondary permit tcp any object Internal_SSH_Server eq SSH
access-group inbound_secondary in interface secondary
Pete
This would seem to be exactly what you want? But it will only work with a static PAT (port forward) from the secondary interface, to an internal host.
ie
object network Internal_SSH_Server
host 192.168.1.10
nat (inside,secondary) static interface service tcp ssh ssh
access-list inbound_secondary permit tcp any object Internal_SSH_Server eq SSH
access-group inbound_secondary in interface secondary
Pete
I would suggest going to 952-2, it supports PBR.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Been tasked with other things and can no longer work on this issue.
Can you be just a little more detailed with regard to the problem?
(And, there should be a way to correct any of the three).