asa 5510 with two outside interfaces

Unanswered Question
Aug 31st, 2010

Hi All,


Have a cisco asa 5510 and I´m trying managing my traffic on it.

I have two outside ports and one will be for internet traffic that comes from inside and other will be for email traffic that´s come from dmz.

I´m having problems now because I have only one default route going to outside1 and this way traffic from dmz is going to outside2 aswell.


Some idea how do it ?


AB

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 08/31/2010 - 08:58

Hi,


The problem is the following...


The ASA only works with a single default gateway (can have more than one but cannot use them simultaneously).


So, if you have 1 default gateway out one interface and another default gateway out another interface, only one default gateway will work (the other will be backup).


You can send traffic to the Internet via a second interface (where the primary default gateway is not defined), if you specify the routes you want to reach out that interface.


Federico.

Kureli Sankar Tue, 08/31/2010 - 09:02

Unfortunately the ASA cannot load balance between two diff. internet facing interfaces. You can only add one default route on the ASA. Neither can it to PBR (policy based routing).


I suggest that you get a layer 3 device on the outside to do PBR based on the source IP address that the ASA translates the inside addresses and the dmz server IP.


Read this thread:

https://supportforums.cisco.com/message/894920


-KS

fixitrodd Tue, 12/15/2015 - 05:31

I know this is an old post  but I wanted to let people know it is possible but can't be done from the GUI.A few years back I call TAC. The tech said it was unsupported but he could help me out. I wanted all my outgoing http traffic to use one interface (internet) and everything else to use the other interface (also the internet). The http interface was also where all my incoming nat's were. It was a way of load balancing at the time for several reason.

I went back and looked at the backup from that time frame. We no longer have this setup or addresses but here are the lines I think that made it possible. If I missed something I appologize but hopefully it'll help spark the final result your looking for. Good Luck!

global (Outside) 101 interface
global (ComcastBroadband) 101 interface

route Outside 0.0.0.0 0.0.0.0 64.132.12.161 1
route ComcastBroadband 0.0.0.0 0.0.0.0 50.195.99.22 2

static (ComcastBroadband,Inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

Jon Are Endrerud Wed, 12/16/2015 - 01:34

Attaching my recent post to this. Im really stuck in this situation, will try out yours, or get a layer 3 unit.

----------

I've just started consolidation of a 5512x with one ISP and a 5550 with another ISP. The configuration is dumped on a 5555X with FW 9.2(3)4, which then will have 2 ISPs.

To make the migration day easy I want to use both ISPs for VPN/IPSec and internett traffic, both to and from the outside/inside. I thought there might be some functionality for this, but now Im not so sure. 

Previously I have had some experience using NAT to select the egress interface, but after learning that Cisco suddenly started to remove this functionality in some FW's I started using routing instead. But in the case of two ISPs, there will be two 0.0.0.0 routes, and I dont see how this could work. Also checked out the "track" funtion on routes, but this applies to a primary/secondary backup scenario.

The other posts on the subject are 2-3 years old, and Im wondering if someone can point in the right direction with the current FW releases and this scenario.

Thanx

Jon Are




fixitrodd Wed, 12/16/2015 - 04:36

If you sent diffrent traffic each way it might work. But, you won't be able to use both for the same type of traffic. If you find a way let us all know :)

Jon Are Endrerud Fri, 12/18/2015 - 00:11

Installed two linux boxes with nginx webserver, inside ip's 10.0.1.46 and 47. did NAT to outside on ISP1 with the 10.0.1.46 and NAT to outside on ISP2 with the 10.0.1.47.

I can then access the 10.0.1.46 from outside with the NAT for ISP1

I cannot access the 10.0.1.47 from outside with the NAT for ISP2.

I guess this is because of the default route. This is I real bummer, and I cant understand that the NAT are ignored and the routing tabel decides the egress interface for the return traffic, even when the traffic are initiated from the outside on ISP2.

Correct me if Im wrong.


Update 18.12.15:

Im correcting myself, I had actually managed to disable the interface of ISP2 while testing the setup. The configuration above works as expected.


Actions

This Discussion

Related Content