ASA Multiple Outside Interfaces and routing from the DMZ to them?

Unanswered Question
Jan 29th, 2010
User Badges:


Hope you can help, my basic problem is that we have recently added a second outside interface with a new IP range and over a few months I will have to migrate our traffic to the new outside interface

At the moment the origonal outside Int has the default route, proxy traffic, email traffic (translated from the exchange server in the DMZ).

The first traffic I want to move is from the WWW proxy server which is in the dmz, so basically users on the inside connect to the DMZ Proxyserver which has a default gateway of the ASA DMZ interface

I need to maintain existing services on the origonal outside interface but route the Proxy internet traffic only out of the new outside interface? Any ideas?

Any changes to the default route cause major problems

I had thought of an address tranlation to the outside interface and a translation to the inside interface to seperate the tow streams of traffic to the proxy server but I am not sure if that is the best way to tackle this 

Any suggestion would be appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 02/03/2010 - 13:16
User Badges:
  • Cisco Employee,

I am thinking you can do some kind of policy NAT to match the port that the clients are using to reach the proxy server and have it being NATed to the DMZ interface, something like:

access-list NATProxy permit tcp any any eq 80

nat (inside) X access-list NATProxy

global (outside) X Z.Z.Z.Z

This will take precedence over the dynamic routing and will redirect traffic out the dmz rather then outside, you would need to adjust it to your needs.

See if this works for you.



This Discussion

Related Content