Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Multiple Outside Interfaces and routing from the DMZ to them?


Hope you can help, my basic problem is that we have recently added a second outside interface with a new IP range and over a few months I will have to migrate our traffic to the new outside interface

At the moment the origonal outside Int has the default route, proxy traffic, email traffic (translated from the exchange server in the DMZ).

The first traffic I want to move is from the WWW proxy server which is in the dmz, so basically users on the inside connect to the DMZ Proxyserver which has a default gateway of the ASA DMZ interface

I need to maintain existing services on the origonal outside interface but route the Proxy internet traffic only out of the new outside interface? Any ideas?

Any changes to the default route cause major problems

I had thought of an address tranlation to the outside interface and a translation to the inside interface to seperate the tow streams of traffic to the proxy server but I am not sure if that is the best way to tackle this 

Any suggestion would be appreciated

Everyone's tags (1)
Cisco Employee

Re: ASA Multiple Outside Interfaces and routing from the DMZ to

I am thinking you can do some kind of policy NAT to match the port that the clients are using to reach the proxy server and have it being NATed to the DMZ interface, something like:

access-list NATProxy permit tcp any any eq 80

nat (inside) X access-list NATProxy

global (outside) X Z.Z.Z.Z

This will take precedence over the dynamic routing and will redirect traffic out the dmz rather then outside, you would need to adjust it to your needs.

See if this works for you.