12-10-2009 06:09 AM - edited 03-11-2019 09:47 AM
I have an ASA 5520. I have 4 ge ports. Port 0 is the Outside interface (connected to a T1 with VPN tunnels remote sites), Port 1 is inside, Port 2 is a VPN tunnel to our disaster recovery site and port 3 is open (connected to a FIOS line). What I am trying to do is to get all Internet traffic to use port 3. However, it wants to use the outside interface all the time. I have to keep the outside interface up and running and so far when I try to make port 3
the port for internet access, I lose connectivity to our remote sites via the T1 on port 0. How can I direct just port 80 and 443 traffic to use port 3 on the ASA?
Solved! Go to Solution.
12-10-2009 05:58 PM
It is this hack that I mentioned not to use. This static gets into the xlate table and pretty much tells the firewall that all addresses live on the OUT_3 interface.
For example when the IPS device issues a "shun x.x.x.x" or a shun is issued from the ASA CLI for any address (including the inside subnets for which static routes exist) it gets sent out the OUT_3 interface even if you intend for it to go out the other interfaces due to this.
Pls. use a layer 3 device upstream and use PBR.
-KS
12-10-2009 11:31 AM
12-10-2009 05:40 PM
Its true that ASA does not support PBR at this time, but if you wish to have all your port 80 and 443 traffic to go out the 3rd port then assuming the name of that interface is OUT_3, your static commands would look like :-
static (inside,OUT_3) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (inside,OUT_3) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0
HTH,
Vijaya
12-10-2009 05:58 PM
It is this hack that I mentioned not to use. This static gets into the xlate table and pretty much tells the firewall that all addresses live on the OUT_3 interface.
For example when the IPS device issues a "shun x.x.x.x" or a shun is issued from the ASA CLI for any address (including the inside subnets for which static routes exist) it gets sent out the OUT_3 interface even if you intend for it to go out the other interfaces due to this.
Pls. use a layer 3 device upstream and use PBR.
-KS
12-14-2009 05:55 AM
Thanks KS, I will stay clear of that hack and persue the layer
3 PBR route!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: