ASA Routing Question

Discussion in 'Cisco' started by mnkyb0i, Jun 27, 2007.

  1. mnkyb0i

    mnkyb0i

    Joined:
    Jun 25, 2007
    Messages:
    3
    I have an ASA 5510 with 4 interfaces. I'd like to have one internal and three external (connected to seperate DSL modems). I would also like to divide my inbound and outbound traffic across these three connections:

    dsl 1 for SMTP, FTP, VPN (site-to-site and client)
    dsl 2 for Internet facing web servers
    dsl 3 Internet browsing for LAN machines

    On the inside of the network I can logically separate the machines by VLAN so that they are easy to distinguish in ACLs. The inbound access seems straight forward since I can set up static NATs for each of the machines I need to reach from their respective DSL connections. I can also NAT and/or PAT the outbound traffic and restrict it to a particular outbound iterface on the ASA using ACLs.

    What I can't figure out is how to direct the outbound traffic out the correct ASA interface. Although I can set a default route on each of the interfaces it appears to always use the first non-shut interface with a default gateway (in this case dsl1).

    For example---

    The default routes on the ASA are:
    route dsl1 0 0 x.x.x.1 1
    route dsl2 0 0 y.y.y.1 1
    route dsl3 0 0 z.z.z.1 1

    The internal subnets are:
    10.0.x.0
    10.0.y.0
    10.0.z.0

    The ACLs look like:
    access-list x2out permit tcp 10.0.x.0 255.255.255.0 any
    access-list y2out permit tcp 10.0.y.0 255.255.255.0 any
    access-list z2out permit tcp 10.0.z.0 255.255.255.0 any

    The ACLs would be applied like:
    nat (inside) 1 access-list x2out 0 0
    global (dsl1) 1 x.x.x.2 netmask 255.255.255.255
    nat (inside) 2 access-list y2out 0 0
    global (dsl2) 2 y.y.y.2 netmask 255.255.255.255
    nat (inside) 3 access-list z2out 0 0
    global (dsl3) 3 z.z.z.2 netmask 255.255.255.255


    Will it match the ACL for the correct interface based on the source address (of the internal subnet), then NAT to the subnet of the appropriate interface, then send the traffic to that default route?

    or

    Will it match the first default gateway, try to match the taffic to that ACL and the fail for all traffic except 10.0.x.0?


    Is this an impossible scenario? Am I over thinking this?
     
    mnkyb0i, Jun 27, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. apsolar@gmail.com
    Replies:
    3
    Views:
    876
    apsolar@gmail.com
    Feb 15, 2007
  2. bjorn@kumlait.se
    Replies:
    1
    Views:
    3,451
    bjorn@kumlait.se
    Jun 17, 2007
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,395
    Tilman Schmidt
    Jan 24, 2008
  4. Tilman Schmidt
    Replies:
    5
    Views:
    19,491
    Lutz Donnerhacke
    Feb 18, 2008
  5. Tilman Schmidt
    Replies:
    1
    Views:
    2,739
    Thrill5
    Oct 22, 2008
Loading...

Share This Page