[c-nsp] ASA Routing Question

Paolo Riviello www.paoloriviello.com pao_rivi at hotmail.com
Wed Jun 27 04:13:55 EDT 2007 

Daniel,
this is a great question, in my understanding, route map (source based 
routing) on ASA is possible only for OSPF dynamic routing purpose, so I 
don't know how to solve your problem, that is my problem too.


I hope someone can help us t figure out how to do it.



--

Paolo Riviello

Mob.   +39.328.1749468
Home: http://www.paoloriviello.com
E-mail: paolo at paoloriviello.com
E-mail & msn: pao_rivi at hotmail.com
Skype: pao_rivi

If men could get pregnant, abortion would be a sacrament. -H-





>From: "Butts, Daniel" <dbutts at fcg.com>
>To: <cisco-nsp at puck.nether.net>
>Subject: [c-nsp] ASA Routing Question
>Date: Tue, 26 Jun 2007 17:41:24 -0700
>
>I have an ASA 5510 with 4 interfaces. I'd like to have one internal and 
>three external (connected to seperate DSL modems). I would also like to 
>divide my inbound and outbound traffic across these three connections:
>
>dsl 1 for SMTP, FTP, VPN (site-to-site and client)
>dsl 2 for Internet facing web servers
>dsl 3 Internet browsing for LAN machines
>
>On the inside of the network I can logically separate the machines by VLAN 
>so that they are easy to distinguish in ACLs. The inbound access seems 
>straight forward since I can set up static NATs for each of the machines I 
>need to reach from their respective DSL connections. I can also NAT and/or 
>PAT the outbound traffic and restrict it to a particular outbound iterface 
>on the ASA using ACLs.
>What I can't figure out is how to direct the outbound traffic out the 
>correct ASA interface. Although I can set a default route on each of the 
>interfaces it appears to always use the first non-shut interface with a 
>default gateway (in this case dsl1).
>
>For example---
>
>The default routes on the ASA are:
>route dsl1 0 0 x.x.x.1 1
>route dsl2 0 0 y.y.y.1 1
>route dsl3 0 0 z.z.z.1 1
>
>The internal subnets are:
>10.0.x.0
>10.0.y.0
>10.0.z.0
>
>The ACLs look like:
>access-list x2out permit tcp 10.0.x.0 255.255.255.0 any
>access-list y2out permit tcp 10.0.y.0 255.255.255.0 any
>access-list z2out permit tcp 10.0.z.0 255.255.255.0 any
>
>The ACLs would be applied like:
>nat (inside) 1 access-list x2out 0 0
>global (dsl1) 1 x.x.x.2 netmask 255.255.255.255
>nat (inside) 2 access-list y2out 0 0
>global (dsl2) 2 y.y.y.2 netmask 255.255.255.255
>nat (inside) 3 access-list z2out 0 0
>global (dsl3) 3 z.z.z.2 netmask 255.255.255.255
>
>Will it match the ACL for the correct interface based on the source address 
>(of the internal subnet), then NAT to the subnet of the appropriate 
>interface, then send the traffic to that default route?
>
>or
>
>Will it match the first default gateway, try to match the taffic to that 
>ACL and the fail for all traffic except 10.0.x.0?
>
>Is this an impossible scenario? Am I over thinking this?
>
>This email may contain material that is confidential, privileged, and/or 
>attorney work product for the sole use of the intended recipient.  Any 
>review, reliance, or distribution by others or forwarding without express 
>permission is strictly prohibited.  If you are not the intended recipient, 
>please contact the sender and delete all copies.
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Push the button! Crea il tuo blog e fatti vedere...      
http://pushthebutton2006.spaces.live.com/

More information about the cisco-nsp mailing list