09-11-2007 01:38 PM - edited 03-11-2019 04:09 AM
Sorry if this has been asked before but I couldn't find any conclusions on this:
Can a ASA firewall running latest firmware ever implement policy routing, say like force web traffic out interface 1 and all other traffic out interface 2, similar to a regular Cisco router with
ip policy route-map
commands.
Thanks in advance.
09-11-2007 06:27 PM
Firewalls don't have the capability to do PBR. There are other ways to get a similar results depending on your setup.
If your not doing any VPN's, dynamic routing, or multicast you could do multiple contexts. This makes the ASA into 2 or more separate firewalls. You could then do PBR with a router or L3 switch prior to the firewall that sends traffic for Internet to one context and the rest to the other.
If your doing NAT you could use ACL's to control which traffic to nat to the coresponding outside interface. However, your routes (static, ospf, rip) must then send the traffic to the correct interface. You also need to make sure that traffic returns to the interface it was sent from or the connection won't get built. See Policy NAT.
Hope this helps! Please rate if it does!
Thanks,
Chad
09-11-2007 07:11 PM
Actually other firewalls (like Fortinet) do have ability to have PBR, its a pity that Cisco's ASA doesn't.
Do you know if it supports ICMP redirects now as well, ie. if you point to the ASA as your default gateway and the ASA knows that the next hop should be a different router on your LAN it sends an ICMP redirect to you to inform of the correct next hop? In the PIX 6.x and 7.0 I could never get that going so wondering have they got it going for ASA 7.2 ?
Thanks again.
09-11-2007 07:38 PM
Sorry, I meant Cisco Firewalls not all firewalls.
In 6.x code it would not be possible because you can't send traffic back out the same int it came in on.
7.X code has a new command to allow traffic to go out the int it came in on.
same-security-traffic permit intra-interface
I think (never tried it) ICMP redirects will work if you use this command and the firewall is the default gateway for the client. Which kind of limits the use since other then small businesses most people have more then 1 subnet so the the firwall can't be the default. Catch 22!
Thanks,
Chad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: