1 LAN 2 WAN policy based routing

Unanswered Question
Aug 26th, 2010

Sorry if I repeat a well known fact.

Please confirm that this is right! One ASA with two ISP can only use one ISP connection at the time. With tracking I can fail over to the other ISP. But I cannot send and receive my SMTP traffic through one and use the other one for all other traffic. Right. ... well there are cheaper products that achieve more...

!

access-list interna_nat_static extended permit tcp host mail-server eq smtp any

!

nat-control
global (Interface_TDM) 1 interface
global (interface_ADSL) 1 interface
nat (interna) 1 192.168.0.0 255.255.255.0
static (interna,Interface_TDM) tcp interface smtp access-list interna_nat_static
access-group interna_access_in in interface interna
access-group Interface_TDM_access_in in interface Interface_TDM
access-group interface_ADSL_access_in in interface interface_ADSL
route interface_ADSL 0.0.0.0 0.0.0.0 ADSLmodem 1
route Interface_TDM 0.0.0.0 0.0.0.0 TDM_router 2


In my case the bold rule is not working as long the the default route is pointing to the interface_ADSL.

Any chance to get that scenario working? (without an extra router...)

It was for me very unexpected that the ASA cant do this.

cheers,

L

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 08/26/2010 - 06:56

What you have said is correct.

The only way I can see this working is if your inside e-mail server will ONLY talk to a few e-mail servers at your ISP side.

In this case you can add specific routes out that interface towards one ISP and send the rest of the traffic with a default route via the other ISP.

-KS

Nagaraja Thanthry Thu, 08/26/2010 - 07:34

Hello,

There is a workaround using which you can sort of use both connections

simultaneously. However, for you to use this, you need to use the primary

connection (one with the default route) for all your incoming traffic (for

your servers). For all outgoing traffic (like web browsing) you can use your

second ISP.

In the below example, we are sending all Web/HTTPS traffic through

Interface_ADSL while your mail server is going via Interface_TDM.

global (Interface_TDM) 1 interface

global (interface_ADSL) 1 interface

nat (interna) 1 192.168.0.0 255.255.255.0

static (interna,Interface_TDM) tcp interface smtp 25 netmask

255.255.255.255

The following two rules will force the firewall to send port 80/443 traffic

via the ADSL interface:

static (interface_ADSL, interna) tcp 0.0.0.0 80 0.0.0.0 80 netmask

255.255.255.255

static (interface_ADSL, interna) tcp 0.0.0.0 443 0.0.0.0 443 netmask

255.255.255.255

access-group interna_access_in in interface interna

access-group Interface_TDM_access_in in interface Interface_TDM

access-group interface_ADSL_access_in in interface interface_ADSL

Change the route statements to make TDM the primary interface and ADSL the

secondary:

route interface_ADSL 0.0.0.0 0.0.0.0 ADSLmodem 254

route Interface_TDM 0.0.0.0 0.0.0.0 TDM_router 1

Hope this helps.

Regards,

NT

Actions

This Discussion