3

This is our scenario:

We have an Cisco ASA 5512x and we have 2 different Internet connections from different ISPs connected with it. ISP A is being used for the users browsing traffic(normal internet) while ISP B is used for site-to-site tunnels and also for the static public IPs to access the servers from the outside.

So our configuration on the Cisco ASA is that the default route (0.0.0.0) is from ISP A with metric 1 while another default route with metric 2 is for ISP B.

Now the issue is that we have a web server which is reachable from the outside via an IP through ISP B(note:static NAT is configured to map the internal IP of webserver and the static public IP of ISP B), but apparently when this server responds for requests, these are going out through ISP A since there is the default route.

This is creating a lot of problems for us.. Is there a way to configure the Cisco ASA to reply from ISP B ? while ofcourse the users general traffic still pass through ISP A.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
StefanGrech
  • 154
  • 2
  • 10

2 Answers2

1

You're not going to be able to achieve source-based routing off modifying the standard route metric. You'll need to use a form of PBR to achieve what you're going for.

Drop on over to Cisco to read up on it or get more information. A barebones would be something like this:

access-list 1 permit <server ip>
!
interface ethernet 1
 ip policy route-map ALT_GW
!
route-map ALT_GW permit 10
 match ip address 1
 set ip next-hop <alternate gw ip>
!
Ryan Foley
  • 190
  • 3
  • 11
1

You need a real router. Cisco ASA firewalls are not routers...

My default routes/gateways in customer environments are usually dedicated routers or layer-3 switches that point all internet traffic to a firewall (ASA) and handle any more specific routes/VLANs themselves.

ip route 0.0.0.0 0.0.0.0 192.168.2.1

Policy-based routing example for another tenant at the same facility.

!
interface Vlan30
 description CRISTINA_DATA
 ip address 172.16.30.254 255.255.255.0
 ip policy route-map ISP2
!
access-list 100 permit ip 172.16.30.0 0.0.0.255 any
!
route-map ISP2 permit 10
 match ip address 100
 set ip default next-hop 172.16.30.1

Of course, you also have the option for adding a Link Balancer, since that's really what you want here. Something like an Elfiq device would give you more granular control over traffic flows with better failover capabilities, while keeping your existing firewall in place.

Community
  • 1
ewwhite
  • 194,921
  • 91
  • 434
  • 799