I am looking to setup a Cisco ASA 5510 with 2 outside networks and 2 inside networks. I would like it setup so that Inside1 will only use the Outside1 connection and Inside2 will only use the Outside2 connection. There will be absolutely no routing of traffic outside of this. I assume that this is possible, but it would be great to have your confirmation. It would be great to know if there is anything I should watch out for when configuring this.
What you are looking is known as Police-Based Routing which can be easily done on a Router (Route based on source IP addresses).
Unfortunetely this is not possible on the ASA plataform (Police-Based routing) and remember that on the ASA you can only have a route to "x" network.
So that being said if U know the destination addresses you want to send the traffic to via the right interfaces you will be good (Note that I said destination) but if you are trying to do it for all traffic (Internet) you will not be able to make it happen.
Even though Policy Based Routing is not available on the ASA you can still use the NAT configurations to achieve what you mention. Even though the commands are simple to achieve this it will still mean that you will have to keep an eye on the order of NAT configuration a lot more than someone with a more usual setup.
To be even able to do this with NAT you would have to be running the new software levels 8.3+, preferably atleast some 8.4(x) software
So your options depends on the software your ASA is running.
With the exception of the ASA 5510, the Cisco ASA's have a feature called 'Multi-Context Mode'. This mode allows an Administrator to 'partition' the firewall in to multiple virtual firewalls. There are certain limitations but this should give you what you are after. If you had an 'OUTSIDE' switch that connected the 2 x ASA subinterfaces as well as the 2 x next hop routers, you could have a seperate routing table (and seperate default gateway) for each network/context.
Ok, yes you guys are right. I didn't really think about the "Destination". Both Inside networks will be attempting to access the same Destinations and therefore will probably end up going out through the one Outside interface which I cannot have.
So it looks like I have these options:
I purchase a second ASA 5510 and use it for my Outside2, Inside 2 network
I purchase a ASA 5520 or higher and use Multi-Context Mode
I did find in this document though that I can purchase a Security Plus license for the ASA 5510 and have access to two Contexts. Is this correct?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...