Multihomed ASA and NAT policies?

Unanswered Question
Aug 18th, 2008
User Badges:

Hello Netpros,


I am setting up a ASA 5510 which has a T1 and a Cable Modem connection. By default all traffic gets sent out the Cable Modem as its faster and preferred. There is also a backup floating static route to the T1 should the link die on the cable modem connection.


We have a server which is NAT to both the T1 and cable modem connection:


route outside-CABLE 0.0.0.0 0.0.0.0 cableIP 1

route outside-T1 0.0.0.0 0.0.0.0 T1_IP 200


static (inside, outside-T1) T1publicIP serverA

static (inside, outside-CABLE) CBLpublicIP serverB


How do I force the serverA host to ALWAYS go out the T1publicIP as stated in the above statement? It seems to go to T1 only if the cable link is down.


Is it possible to force the server out through the T1, EXCEPT when the T1 is down in which case it will pass out through Cable?


I'm sure this is an easy thing to do, I'm just an ASA newbie so any help is appreciated!


Julian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rdessert Tue, 08/19/2008 - 06:38
User Badges:

Julian,


Unfortunately I don't think this is possible with the ASA. With a router it would be possible using Policy Based Routing (PBR). Unfortunately the ASA does not support PBR, so the traffic from the server will be routed according to the ASA's preferred route.


See this link for ASA FAQ including the PBR question.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml


julianunderwood Tue, 08/19/2008 - 06:43
User Badges:

Hi,


Thanks for your response. Do you know if it would be possible to force the servers out the T1 and not have them go out the cable connection in the event of T1 failure? Would that simplify things in any regard?


Thanks again,


Julian



rdessert Tue, 08/19/2008 - 07:03
User Badges:

Unfortunately what you want to do is considered policy based routing and is not supported on the ASA.


You might be able to configure multiple contexts server A being in one context and which uses the T1 as next hop, and server B being in another context using the Cable connection as next hop.


See this document for more info on multiple context mode on the ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml


rdessert Tue, 08/19/2008 - 07:35
User Badges:

I'm not sure what your network environment looks like but if you have a layer 3 device/s sitting in front of the ASA you can implement PBR to set the next hop for traffic sourced from your serverA to as the device that terminates your T1. Thanks, hopefully this helps some. It would be nice if the ASA supported PBR!


Rich

Actions

This Discussion