i have an ASA 5520 with 2 outside interfaces connected with 2 ISP's that are both active at same time (so this is NOT a typical ISP backup described in ASA documentation).
ISP1 (interface outside1)is used for web publishing sites, ISP2 (interface outside2)is used for client web browsing.I configure default gateway on "outside2" to allow clients to access web trought ISP2
I MUST publish web sites on "ouside1" so my problem is:
- i have requests for web sites coming from Internet trought ISP1, entering to "outside1" and going trought Static NAT between "outside1" and DMZ.
- the response packet (from web server on DMZ to client) could be going out trought "outside2" because of default gateway set on this interface.
- so the web traffic is incoming from one outside interface (outside1)and going out trought the other one (outside2)...this could be a problem!!! (i know ASA does not support policy routing)
My question is:
- is possible that ASA, seeing that traffic is coming from outside1, routes the web response trought the same interface without using the default gateway ?
I supposed that (i'm not sure):
- the ASA opens a connection slot with "outside1" and DMZ when the web request arrives.
- when the response is coming back from the web server to the client, the ASA remembers that connection originates from "outside1" and routes the packet to this interface even if "default gateway" is on the other interface.
- in addition, there is also the xlate table that records the NAT between
"outside1" and DMZ...and maybe this could be another condition that forces the ASA to respond on this interface.
Is this the behaviour of the firewall or it routes traffic always on the default gateway ? Thank you very much in advantage.
I am not quite sure if this works - but if you have a downstream router connected to the DMZ Lan with your webservers behind that router, policy-routing on that router for return traffic from your webservers might help.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :