Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
2
Replies

ASA complex scenario

junshah22
Level 1
Level 1

‎07-22-2009 03:08 AM

Dear all,

I have following devices for my communication rack,

- one Cisco ASA 5510 security plus

- one Cisco 2811 router

- one Cisco 3560G (layer 3) switch

- 1 linksys 24 port switch

my scenario

Internet connection (1) is connected with Cisco Router port fa0/1 and live Ip is configured

fa0/0 is connected with ASA having Ip address 192.168.74.1

ASA has three interfaces configured,

Inside

Outside

DMZ

Servers are attached with DMZ

Cisco 3560G is connected with Inside

Cisco Router is attached with outside

security level 50 for DMZ

100 for Inside

0 for outside

currently, site-to-site vpn and remote access ipsec VPN is configured on CISCO ROUTER,

Vlans are configured on cisco switch,

NOW

---------------------

I want to add another Internet connection to my ASA 4th port

---------------------

nat-control is not enabled on ASA,

I cannot enable nat-control, otherwise, my internal network mapped into one ip and don't appear on my monitoring server,

please advise, how can I configure my 4th port on the ASA for internet access only to inside network, DMZ will use primary internet connection via router, because remote users will connect via cisco vpn client,

if I enable NAT in ASA, my inside network dont connects with DMZ,

Please help

Labels:
0 Helpful
2 Replies 2

Roman Rodichev
Level 7
Level 7

‎07-22-2009 05:37 AM

I don't know if this will be possible. Simple routing determines which way the traffic flows to the Internet from Inside and DMZ, they'll always use the same 0.0.0.0 route. Policy Based Routing (routing based on source) doesn't exist in ASA. It is possible to setup a backup Internet connection and use IP SLA to monitor the primary link, but that's not what you are trying to do. Did I understand you correctly, you want Inside hosts to use primary Internet connection and DMZ hosts to use secondary Internet connection? One solution would be to do routing on the next hop after the firewall. Connect second Internet connection to your router (or you could have two routers in HSRP), and then use policy-based routing to route 0.0.0.0 to a different Internet connection depending on your source IP address. You can then NAT inside addresses to one PUB IP and NAT DMZ addresses to another PUB IP on ASA.

Regards,

Roman

0 Helpful

junshah22
Level 1
Level 1
In response to Roman Rodichev

‎07-22-2009 08:50 AM

I discussed it with an expert, he said, its not possible, because I need to run BGP,

he said, you can load balance for general internet use,, but when VPN will involve, then I will need to run BGP,,

what do you say??,

as i said in my earlier post that I want to use only one connection for VPN and the other one for general internet surfing,,

vlans users will use general internet,, while Servers in the DMZ will use other internet connection (having vpn)

Please advise,,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents