Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5520 - redirecting web traffic

I have an ASA 5520.  I have 4 ge ports.  Port 0 is the Outside interface (connected to a T1 with VPN tunnels remote sites), Port 1 is inside, Port 2 is a VPN tunnel to our disaster recovery site and port 3 is open (connected to a FIOS line).  What I am trying to do is to get all Internet traffic to use port 3.  However, it wants to use the outside interface all the time.  I have to keep the outside interface up and running and so far when I try to make port 3

the port for internet access, I lose connectivity to our remote sites via the T1 on port 0.  How can I direct just port 80 and 443 traffic to use port 3 on the ASA?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 5520 - redirecting web traffic

It is this hack that I mentioned not to use. This static gets into the xlate table and pretty much tells the firewall that all addresses live on the OUT_3 interface.

For example when the IPS device issues a "shun x.x.x.x"  or a shun is issued from the ASA CLI for any address (including the inside subnets for which static routes exist) it gets sent out the OUT_3 interface even if you intend for it to go out the other interfaces due to this.

Pls. use a layer 3 device upstream and use PBR.

-KS

4 REPLIES
Cisco Employee

Re: ASA 5520 - redirecting web traffic

You can configure some statics to take all the destination port 80 and 443 and send it out port 3 but, that is not advisable.

Your best option would be to use a layer 3 device on the outside and use PBR to send the port 80 and 443 requests out one link and the rest via another link.


-KS
Cisco Employee

Re: ASA 5520 - redirecting web traffic

Its true that ASA does not support PBR at this time, but if you wish to have all your port 80 and 443 traffic to go out the 3rd port then assuming the name of that interface is OUT_3, your static commands would look like :-

static (inside,OUT_3) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

static (inside,OUT_3) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

HTH,

Vijaya

Cisco Employee

Re: ASA 5520 - redirecting web traffic

It is this hack that I mentioned not to use. This static gets into the xlate table and pretty much tells the firewall that all addresses live on the OUT_3 interface.

For example when the IPS device issues a "shun x.x.x.x"  or a shun is issued from the ASA CLI for any address (including the inside subnets for which static routes exist) it gets sent out the OUT_3 interface even if you intend for it to go out the other interfaces due to this.

Pls. use a layer 3 device upstream and use PBR.

-KS

New Member

Re: ASA 5520 - redirecting web traffic

Thanks KS, I will stay clear of that hack and persue the layer

3 PBR route!

1123
Views
0
Helpful
4
Replies
CreatePlease to create content