cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1532
Views
0
Helpful
4
Replies

ASA 5520 - redirecting web traffic

adcorbett_2
Level 1
Level 1

I have an ASA 5520.  I have 4 ge ports.  Port 0 is the Outside interface (connected to a T1 with VPN tunnels remote sites), Port 1 is inside, Port 2 is a VPN tunnel to our disaster recovery site and port 3 is open (connected to a FIOS line).  What I am trying to do is to get all Internet traffic to use port 3.  However, it wants to use the outside interface all the time.  I have to keep the outside interface up and running and so far when I try to make port 3

the port for internet access, I lose connectivity to our remote sites via the T1 on port 0.  How can I direct just port 80 and 443 traffic to use port 3 on the ASA?

1 Accepted Solution

Accepted Solutions

It is this hack that I mentioned not to use. This static gets into the xlate table and pretty much tells the firewall that all addresses live on the OUT_3 interface.

For example when the IPS device issues a "shun x.x.x.x"  or a shun is issued from the ASA CLI for any address (including the inside subnets for which static routes exist) it gets sent out the OUT_3 interface even if you intend for it to go out the other interfaces due to this.

Pls. use a layer 3 device upstream and use PBR.

-KS

View solution in original post

4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee
You can configure some statics to take all the destination port 80 and 443 and send it out port 3 but, that is not advisable.

Your best option would be to use a layer 3 device on the outside and use PBR to send the port 80 and 443 requests out one link and the rest via another link.


-KS

Its true that ASA does not support PBR at this time, but if you wish to have all your port 80 and 443 traffic to go out the 3rd port then assuming the name of that interface is OUT_3, your static commands would look like :-

static (inside,OUT_3) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

static (inside,OUT_3) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

HTH,

Vijaya

It is this hack that I mentioned not to use. This static gets into the xlate table and pretty much tells the firewall that all addresses live on the OUT_3 interface.

For example when the IPS device issues a "shun x.x.x.x"  or a shun is issued from the ASA CLI for any address (including the inside subnets for which static routes exist) it gets sent out the OUT_3 interface even if you intend for it to go out the other interfaces due to this.

Pls. use a layer 3 device upstream and use PBR.

-KS

Thanks KS, I will stay clear of that hack and persue the layer

3 PBR route!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: