[c-nsp] ASA Routing Question

Butts, Daniel dbutts at fcg.com
Tue Jun 26 20:41:24 EDT 2007


I have an ASA 5510 with 4 interfaces. I'd like to have one internal and three external (connected to seperate DSL modems). I would also like to divide my inbound and outbound traffic across these three connections:
 
dsl 1 for SMTP, FTP, VPN (site-to-site and client)
dsl 2 for Internet facing web servers
dsl 3 Internet browsing for LAN machines
 
On the inside of the network I can logically separate the machines by VLAN so that they are easy to distinguish in ACLs. The inbound access seems straight forward since I can set up static NATs for each of the machines I need to reach from their respective DSL connections. I can also NAT and/or PAT the outbound traffic and restrict it to a particular outbound iterface on the ASA using ACLs. 
What I can't figure out is how to direct the outbound traffic out the correct ASA interface. Although I can set a default route on each of the interfaces it appears to always use the first non-shut interface with a default gateway (in this case dsl1).
 
For example---
 
The default routes on the ASA are:
route dsl1 0 0 x.x.x.1 1
route dsl2 0 0 y.y.y.1 1
route dsl3 0 0 z.z.z.1 1
 
The internal subnets are:
10.0.x.0
10.0.y.0
10.0.z.0
 
The ACLs look like:
access-list x2out permit tcp 10.0.x.0 255.255.255.0 any
access-list y2out permit tcp 10.0.y.0 255.255.255.0 any
access-list z2out permit tcp 10.0.z.0 255.255.255.0 any
 
The ACLs would be applied like:
nat (inside) 1 access-list x2out 0 0
global (dsl1) 1 x.x.x.2 netmask 255.255.255.255
nat (inside) 2 access-list y2out 0 0
global (dsl2) 2 y.y.y.2 netmask 255.255.255.255
nat (inside) 3 access-list z2out 0 0
global (dsl3) 3 z.z.z.2 netmask 255.255.255.255

Will it match the ACL for the correct interface based on the source address (of the internal subnet), then NAT to the subnet of the appropriate interface, then send the traffic to that default route?
 
or 
 
Will it match the first default gateway, try to match the taffic to that ACL and the fail for all traffic except 10.0.x.0?

Is this an impossible scenario? Am I over thinking this? 

This email may contain material that is confidential, privileged, and/or attorney work product for the sole use of the intended recipient.  Any review, reliance, or distribution by others or forwarding without express permission is strictly prohibited.  If you are not the intended recipient, please contact the sender and delete all copies.


More information about the cisco-nsp mailing list