[c-nsp] ASA Routing Question

Wed Jun 27 04:49:23 EDT 2007

Not sure if it will do exactly what you want, but you may want to look
into the Security Context (multiple virtual firewalls) feature of the
ASAs -
http://cisco.com/en/US/products/ps6120/products_configuration_guide_chap
ter09186a0080636f9b.html

On an ASA5510 you need the Security Plus license + up to 3 extra context
licenses (default is 2 only). ASA5520 and above obviously support more.

You could have something like

          ASA
        ----------
DSL1---|Context1  |  VLAN          VLAN1
       |          | Trunk         /
DSL2---|Context2  |=========L2_SWITCH-- VLAN2
       |          |               \
DSL3---|Context3  |                VLAN3
        ----------

?? You'd probably need a router if all those machines on separate VLANs
needed to talk to each other internally i.e. other than through the DSL
connections.

Not 100% sure if this would work for your scenario, but worth a look?

Stuart

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paolo 
> Riviello www.paoloriviello.com
> Sent: Wednesday, 27 June 2007 6:14 PM
> To: dbutts at fcg.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA Routing Question
> 
> Daniel,
> this is a great question, in my understanding, route map (source based
> routing) on ASA is possible only for OSPF dynamic routing 
> purpose, so I don't know how to solve your problem, that is 
> my problem too.
> 
> 
> I hope someone can help us t figure out how to do it.
> 
> 
> 
> --
> 
> Paolo Riviello
> 
> Mob.   +39.328.1749468
> Home: http://www.paoloriviello.com
> E-mail: paolo at paoloriviello.com
> E-mail & msn: pao_rivi at hotmail.com
> Skype: pao_rivi
> 
> If men could get pregnant, abortion would be a sacrament. -H-
> 
> 
> 
> 
> 
> >From: "Butts, Daniel" <dbutts at fcg.com>
> >To: <cisco-nsp at puck.nether.net>
> >Subject: [c-nsp] ASA Routing Question
> >Date: Tue, 26 Jun 2007 17:41:24 -0700
> >
> >I have an ASA 5510 with 4 interfaces. I'd like to have one 
> internal and 
> >three external (connected to seperate DSL modems). I would 
> also like to 
> >divide my inbound and outbound traffic across these three 
> connections:
> >
> >dsl 1 for SMTP, FTP, VPN (site-to-site and client) dsl 2 for 
> Internet 
> >facing web servers dsl 3 Internet browsing for LAN machines
> >
> >On the inside of the network I can logically separate the 
> machines by 
> >VLAN so that they are easy to distinguish in ACLs. The 
> inbound access 
> >seems straight forward since I can set up static NATs for 
> each of the 
> >machines I need to reach from their respective DSL 
> connections. I can 
> >also NAT and/or PAT the outbound traffic and restrict it to a 
> >particular outbound iterface on the ASA using ACLs.
> >What I can't figure out is how to direct the outbound 
> traffic out the 
> >correct ASA interface. Although I can set a default route on each of 
> >the interfaces it appears to always use the first non-shut interface 
> >with a default gateway (in this case dsl1).
> >
> >For example---
> >
> >The default routes on the ASA are:
> >route dsl1 0 0 x.x.x.1 1
> >route dsl2 0 0 y.y.y.1 1
> >route dsl3 0 0 z.z.z.1 1
> >
> >The internal subnets are:
> >10.0.x.0
> >10.0.y.0
> >10.0.z.0
> >
> >The ACLs look like:
> >access-list x2out permit tcp 10.0.x.0 255.255.255.0 any access-list 
> >y2out permit tcp 10.0.y.0 255.255.255.0 any access-list z2out permit 
> >tcp 10.0.z.0 255.255.255.0 any
> >
> >The ACLs would be applied like:
> >nat (inside) 1 access-list x2out 0 0
> >global (dsl1) 1 x.x.x.2 netmask 255.255.255.255 nat (inside) 2 
> >access-list y2out 0 0 global (dsl2) 2 y.y.y.2 netmask 
> 255.255.255.255 
> >nat (inside) 3 access-list z2out 0 0 global (dsl3) 3 z.z.z.2 netmask 
> >255.255.255.255
> >
> >Will it match the ACL for the correct interface based on the source 
> >address (of the internal subnet), then NAT to the subnet of the 
> >appropriate interface, then send the traffic to that default route?
> >
> >or
> >
> >Will it match the first default gateway, try to match the taffic to 
> >that ACL and the fail for all traffic except 10.0.x.0?
> >
> >Is this an impossible scenario? Am I over thinking this?
> >
> >This email may contain material that is confidential, privileged, 
> >and/or attorney work product for the sole use of the intended 
> >recipient.  Any review, reliance, or distribution by others or 
> >forwarding without express permission is strictly 
> prohibited.  If you 
> >are not the intended recipient, please contact the sender 
> and delete all copies.
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _________________________________________________________________
> Push the button! Crea il tuo blog e fatti vedere... 
> http://pushthebutton2006.spaces.live.com/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

Environmental Notice: Please consider the environment before printing this
email.<br><br>

Confidentiality Notice: The content of this message and any attachments
may be privileged, in confidence or sensitive. Any unauthorised use is
expressly prohibited. If you have received this email in error please
notify the sender, disregard and then delete the email. This email may
have been corrupted or interfered with. Coffey International Limited
cannot guarantee that the message you receive is the same as the message
we sent.  At Coffey International Limited's discretion we may send a
paper copy for confirmation. In the event of any discrepancy between
paper and electronic versions the paper version is to take precedence.
No warranty is made that this email and its contents are free from
computer viruses or other defects.

<br><br>CILDISCL0003