Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
4
Replies

Multihomed ASA and NAT policies?

julianunderwood
Level 1
Level 1

‎08-18-2008 10:19 AM - edited ‎03-11-2019 06:32 AM

Hello Netpros,

I am setting up a ASA 5510 which has a T1 and a Cable Modem connection. By default all traffic gets sent out the Cable Modem as its faster and preferred. There is also a backup floating static route to the T1 should the link die on the cable modem connection.

We have a server which is NAT to both the T1 and cable modem connection:

route outside-CABLE 0.0.0.0 0.0.0.0 cableIP 1

route outside-T1 0.0.0.0 0.0.0.0 T1_IP 200

static (inside, outside-T1) T1publicIP serverA

static (inside, outside-CABLE) CBLpublicIP serverB

How do I force the serverA host to ALWAYS go out the T1publicIP as stated in the above statement? It seems to go to T1 only if the cable link is down.

Is it possible to force the server out through the T1, EXCEPT when the T1 is down in which case it will pass out through Cable?

I'm sure this is an easy thing to do, I'm just an ASA newbie so any help is appreciated!

Julian

Labels:
0 Helpful
4 Replies 4

rdessert
Level 1
Level 1

‎08-19-2008 06:38 AM

Julian,

Unfortunately I don't think this is possible with the ASA. With a router it would be possible using Policy Based Routing (PBR). Unfortunately the ASA does not support PBR, so the traffic from the server will be routed according to the ASA's preferred route.

See this link for ASA FAQ including the PBR question.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

0 Helpful

julianunderwood
Level 1
Level 1
In response to rdessert

‎08-19-2008 06:43 AM

Hi,

Thanks for your response. Do you know if it would be possible to force the servers out the T1 and not have them go out the cable connection in the event of T1 failure? Would that simplify things in any regard?

Thanks again,

Julian

0 Helpful

rdessert
Level 1
Level 1
In response to julianunderwood

‎08-19-2008 07:03 AM

Unfortunately what you want to do is considered policy based routing and is not supported on the ASA.

You might be able to configure multiple contexts server A being in one context and which uses the T1 as next hop, and server B being in another context using the Cable connection as next hop.

See this document for more info on multiple context mode on the ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

0 Helpful

rdessert
Level 1
Level 1
In response to rdessert

‎08-19-2008 07:35 AM

I'm not sure what your network environment looks like but if you have a layer 3 device/s sitting in front of the ASA you can implement PBR to set the next hop for traffic sourced from your serverA to as the device that terminates your T1. Thanks, hopefully this helps some. It would be nice if the ASA supported PBR!

Rich

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card