ASA: default routing with two ISP's

Unanswered Question
Sep 17th, 2008
User Badges:

We have two areas of public IP addresses. Both are configured in the ASA5510 (7.2.4, failover A/S, functions: VPN-Server, VPN L2L, SSL-VPN, Firewall, NAT)):

interface Ethernet0/0.100

description ### Path A ###

vlan 100

nameif outside-1

security-level 0

ip address 100.100.100.1 255.255.255.248 standby 100.100.100.2

!

interface Ethernet0/0.200

description ### Path B ###

vlan 200

nameif outside-2

security-level 10

ip address 200.200.200.1 255.255.255.248 standby 200.200.200.2


In DMZ we have two Server with NAT-requirement:

static (dmz,outside-1) 192.168.1.1 100.100.100.3 netmask 255.255.255.255 !--- NAT for Host-A

static (dmz,outside-2) 192.168.1.2 200.200.200.3 netmask 255.255.255.255 !--- NAT for Host-B


Default Route:

route outside-1 0.0.0.0 0.0.0.0 100.100.100.6


ASA communicates with the ISP-Router which is configured with both IP addresses - 100.100.100.6/29 and 200.200.200.6/29, through the Switch:

interface FastEthernet0/2

description ### Link to ISP-Router.100 ###

switchport access vlan 100

!

interface FastEthernet0/2

description ### Link to ISP-Router.200 ###

switchport access vlan 200

!

interface FastEthernet0/3

description ### Trunk to ASA ###

switchport trunk encapsulation dot1q

switchport mode trunk


How I can make Host B choose Path B without defining explicit target in the Routing. So much I know, ASA does not support the ASA PBR.

Does somebody have (or other) idea?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hemen.goradia Thu, 09/18/2008 - 03:39
User Badges:

You can try route-map and define policy accordingly.


Which IOS version of ASA you are running? i have tried this in 7.1 and 8.0


Hemen

jcosgrove Thu, 09/18/2008 - 09:51
User Badges:

You can use the ASA to take care of the NAT for ISP A and ISP B to a single defaute route on the outside interface. Then in your ISP border router use policy based routing to decide what IP's have what next hop.

Guennadi Roussak Thu, 09/18/2008 - 13:54
User Badges:


Host-A --> 2.2.2.2

Host-A --> ASA dmz --> default route: outside-1 --> NAT (dmz,outside-1) --> outside-1 --> ISP Router.100 --> Internet cloud --> 2.2.2.2


Host-B --> 2.2.2.2

Host-A --> ASA dmz --> default route: outside-1 --> NAT ??? --> drop packet.

mzik Thu, 03/19/2009 - 09:32
User Badges:

Can you try adding the following line to the ASA?


route outside-2 0.0.0.0 0.0.0.0 200.200.200.6 200


Mirek

isa-aston-03 Thu, 08/20/2009 - 01:18
User Badges:

I have a similar problem. did you ever get a working solution to this?

Actions

This Discussion