ASA: default routing with two ISP's

Unanswered Question
Sep 17th, 2008
User Badges:

We have two areas of public IP addresses. Both are configured in the ASA5510 (7.2.4, failover A/S, functions: VPN-Server, VPN L2L, SSL-VPN, Firewall, NAT)):

interface Ethernet0/0.100

description ### Path A ###

vlan 100

nameif outside-1

security-level 0

ip address standby


interface Ethernet0/0.200

description ### Path B ###

vlan 200

nameif outside-2

security-level 10

ip address standby

In DMZ we have two Server with NAT-requirement:

static (dmz,outside-1) netmask !--- NAT for Host-A

static (dmz,outside-2) netmask !--- NAT for Host-B

Default Route:

route outside-1

ASA communicates with the ISP-Router which is configured with both IP addresses - and, through the Switch:

interface FastEthernet0/2

description ### Link to ISP-Router.100 ###

switchport access vlan 100


interface FastEthernet0/2

description ### Link to ISP-Router.200 ###

switchport access vlan 200


interface FastEthernet0/3

description ### Trunk to ASA ###

switchport trunk encapsulation dot1q

switchport mode trunk

How I can make Host B choose Path B without defining explicit target in the Routing. So much I know, ASA does not support the ASA PBR.

Does somebody have (or other) idea?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hemen.goradia Thu, 09/18/2008 - 03:39
User Badges:

You can try route-map and define policy accordingly.

Which IOS version of ASA you are running? i have tried this in 7.1 and 8.0


jcosgrove Thu, 09/18/2008 - 09:51
User Badges:

You can use the ASA to take care of the NAT for ISP A and ISP B to a single defaute route on the outside interface. Then in your ISP border router use policy based routing to decide what IP's have what next hop.

Guennadi Roussak Thu, 09/18/2008 - 13:54
User Badges:

Host-A -->

Host-A --> ASA dmz --> default route: outside-1 --> NAT (dmz,outside-1) --> outside-1 --> ISP Router.100 --> Internet cloud -->

Host-B -->

Host-A --> ASA dmz --> default route: outside-1 --> NAT ??? --> drop packet.

mzik Thu, 03/19/2009 - 09:32
User Badges:

Can you try adding the following line to the ASA?

route outside-2 200


isa-aston-03 Thu, 08/20/2009 - 01:18
User Badges:

I have a similar problem. did you ever get a working solution to this?


This Discussion