Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
6
Replies

Two ISPs, one ASA 5510... two LANs?

somethinglesspersonal
Level 1
Level 1

‎11-06-2013 05:18 PM - edited ‎03-11-2019 08:01 PM

Hello,

I have a Cisco ASA 5510 running 8.2(5) firmware, "base" license and 1GB memory.

Currently we have a running/working network on 192.168.100.0 (Ethernet0/1) that uses comcast (Ethernet0/2) for the ISP.

There is also a T1 at the location that we would like to utilize for the VOIP phones. Is there a way to assign an available ASA port (Ethernet0/3) 192.168.123.1, and have anything on that port use the T1 for internet? I did assign port 3 192.168.123.1, and also set up DHCP on that interface, but when I plug in my laptop -- I do get internet (I created a dynamic NAT rule) but it's going out the comcast isntead of the T1 interface.

How do I force outbound traffic on Ethernet0/3 to use Ethernet0/0 for internet? I'm thinking it has something to do with interface security level? I an unfamiliar with command line so if anyone knows how to accomplish this in ASDM that would hlep.

Here is what I have set up for the interfaces so far:

Ethernet0/0 (name = outside, security level = 1, IP address is public IP of T1)

Ethernet0/1 (name = inside, security level = 100, IP address is 192.168.100.1)

Ethernet0/2 (name = comcast, security level = 0, IP address is public IP of comcast)

Ethernet0/3 (name = VOIP, security level = 100, IP address is 192.168.123.1)

Any help is greatly appreciated!

Labels:
0 Helpful
6 Replies 6

JohnTylerPearce
Level 7
Level 7

‎11-06-2013 06:17 PM

Can you post your Dynamic NAT Config?

It sounds like, you may have it going from, (VOIP,comcast) and not (VOIP,outside)

0 Helpful

somethinglesspersonal
Level 1
Level 1
In response to JohnTylerPearce

‎11-06-2013 08:38 PM

Thanks John,

I wish I knew how to do that (or maybe I do?). I ran show run from the CLI and here are the only nat references I found:

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.100.0 255.255.255.0

nat (VOIP) 1 192.168.123.0 255.255.255.0

Is there a better way to get the info?

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame

‎11-07-2013 01:04 AM

Wrong forum, post in security - firewalling. You can move you post using the actions panel on the right.

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to paolo bevilacqua

‎11-07-2013 03:58 AM

Type 'show run global' .

0 Helpful

jumora
Level 7
Level 7
In response to JohnTylerPearce

‎11-07-2013 12:54 PM

The ASA does not support PBR so you cannot mark traffic to leave based on source only based on destination that is normally done by routing or NAT.

Q.   Can Cisco 5500 Series ASA do a Policy Based Routing (PBR) like Cisco   Router? For example, mail traffic should be routed to first ISP while http   traffic should be routed to the second one.

A. Unfortunately, there is no way to do policy-based routing on the ASA at       this time. It can be a feature that is added to the ASA in the future.

Note: The route-map command is used to redistribute routes between routing protocols, such as OSPF           and RIP, with the use of metrics and not to policy route regular traffic as in           routers.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

Please rate our assistance with marking the post as answered.

Value our effort and rate the assistance!
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎11-07-2013 12:57 PM

Hi,

With the very latest 8.4 and 9.x software levels you could utilize NAT to have one LAN use ISP1 and other LAN use ISP2.

Its not something that Cisco nor I really suggest but it works.

In your current software level you wont able to implement it since it uses the older NAT configuration format.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card