Asa route to different interface

dan.letkeman · ‎01-14-2014

Hello,

I currently have a very simple setup. ASA 5520 advertizing a default route to a 4507 switch and one internet connection for all devices. The asa does the firewalling and NAT.

What I want to do is add a second internet connection to the asa and route, not NAT some of the users to that interface. This second connection will be a layer 2 network to our isp which is hosting a virtual firewall for us. So we want all of our internal ip's to hit the private side of this virtual firewall.

That said i want to keep our existing internet connection and all of the current NAT setup on the ASA.

What would be the best way to accomplish this, as I see that the ASA does not support PBR.

Thanks,

Dan.

Vasilii Mikhailovskii · ‎01-15-2014

Hello, Dan.

Not clear what is desired configuration for this second link and do you need any Internet access failover between interfaces, but:

- you could create additional context on ASA and configure it for second link;

- in this case you will loose dinamic routing (not compatible with contexts);

- you won't be able to run one context in routing mode and another in transparent (if you thought about it);

- PBR should be done before traffic reaches ASA (on switch/router).

Do you have any diagram describing current configuration (almost clear) and configuration for second link (including IP-addresses, NAT and routing if present).