08-26-2010 06:39 AM - edited 03-11-2019 11:30 AM
Sorry if I repeat a well known fact.
Please confirm that this is right! One ASA with two ISP can only use one ISP connection at the time. With tracking I can fail over to the other ISP. But I cannot send and receive my SMTP traffic through one and use the other one for all other traffic. Right. ... well there are cheaper products that achieve more...
!
access-list interna_nat_static extended permit tcp host mail-server eq smtp any
!
nat-control
global (Interface_TDM) 1 interface
global (interface_ADSL) 1 interface
nat (interna) 1 192.168.0.0 255.255.255.0
static (interna,Interface_TDM) tcp interface smtp access-list interna_nat_static
access-group interna_access_in in interface interna
access-group Interface_TDM_access_in in interface Interface_TDM
access-group interface_ADSL_access_in in interface interface_ADSL
route interface_ADSL 0.0.0.0 0.0.0.0 ADSLmodem 1
route Interface_TDM 0.0.0.0 0.0.0.0 TDM_router 2
In my case the bold rule is not working as long the the default route is pointing to the interface_ADSL.
Any chance to get that scenario working? (without an extra router...)
It was for me very unexpected that the ASA cant do this.
cheers,
L
08-26-2010 06:56 AM
What you have said is correct.
The only way I can see this working is if your inside e-mail server will ONLY talk to a few e-mail servers at your ISP side.
In this case you can add specific routes out that interface towards one ISP and send the rest of the traffic with a default route via the other ISP.
-KS
08-26-2010 07:34 AM
Hello,
There is a workaround using which you can sort of use both connections
simultaneously. However, for you to use this, you need to use the primary
connection (one with the default route) for all your incoming traffic (for
your servers). For all outgoing traffic (like web browsing) you can use your
second ISP.
In the below example, we are sending all Web/HTTPS traffic through
Interface_ADSL while your mail server is going via Interface_TDM.
global (Interface_TDM) 1 interface
global (interface_ADSL) 1 interface
nat (interna) 1 192.168.0.0 255.255.255.0
static (interna,Interface_TDM) tcp interface smtp 25 netmask
255.255.255.255
The following two rules will force the firewall to send port 80/443 traffic
via the ADSL interface:
static (interface_ADSL, interna) tcp 0.0.0.0 80 0.0.0.0 80 netmask
255.255.255.255
static (interface_ADSL, interna) tcp 0.0.0.0 443 0.0.0.0 443 netmask
255.255.255.255
access-group interna_access_in in interface interna
access-group Interface_TDM_access_in in interface Interface_TDM
access-group interface_ADSL_access_in in interface interface_ADSL
Change the route statements to make TDM the primary interface and ADSL the
secondary:
route interface_ADSL 0.0.0.0 0.0.0.0 ADSLmodem 254
route Interface_TDM 0.0.0.0 0.0.0.0 TDM_router 1
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: