Dual gateway configuration on ASA 5520

Discussion in 'Cisco' started by GoogCenter, Sep 3, 2008.

  1. GoogCenter

    GoogCenter Guest

    Hi,

    I have an issue with the configuration of an ASA firewall.

    Currently the configuration is quite basic:

    outside: 10.1.0.2/255.255.0.0
    default route: 10.1.0.1

    inside: 192.168.0.1/255.255.255.0
    "outside" is configured to a first ISP.

    I have a web server & smtp server an IP address 192.168.0.3 which
    receives public traffic from 10.1.0.3 thanks to a static NAT rule.
    Also when the smtp server sends an email it is "seen" on the outside
    est 10.1.0.3

    Now I want to connect an "outside2" interface with network provided by
    an other ISP:

    outside2: 10.3.0.2/255.255..0.0
    router of secondary ISP: 10.3.0.1

    Then I would configure an other server on 192.168.0.4 which would
    receives / send traffic from-to 10.3.0.4

    The problem is that the default route is always the one of the first
    ISP.
    How do I tell ASA firewall that packets coming OUT from ip address
    192.168.0.4 have a default gateway on interface outside2, route
    10.3.0.1 ?

    On linux I would do this with the "mark" feature of iptables which can
    be used on routing tables.
    On a nortel alteon I would do this by creating a secondary gateway on
    a specific vlan
    On a sonicwall firewall it is possible to configure routes according
    to destination and SOURCE ip address.

    Can Cisco do this kind of things?

    Thank you for your help
    GoogCenter, Sep 3, 2008
    #1
    1. Advertising

  2. GoogCenter

    johan Guest

    GoogCenter a écrit :
    >
    > Hi,
    >
    > I have an issue with the configuration of an ASA firewall.
    >
    > Currently the configuration is quite basic:
    >
    > outside: 10.1.0.2/255.255.0.0
    > default route: 10.1.0.1
    >
    > inside: 192.168.0.1/255.255.255.0
    > "outside" is configured to a first ISP.
    >
    > I have a web server & smtp server an IP address 192.168.0.3 which
    > receives public traffic from 10.1.0.3 thanks to a static NAT rule.
    > Also when the smtp server sends an email it is "seen" on the outside
    > est 10.1.0.3
    >
    > Now I want to connect an "outside2" interface with network provided by
    > an other ISP:
    >
    > outside2: 10.3.0.2/255.255..0.0
    > router of secondary ISP: 10.3.0.1
    >
    > Then I would configure an other server on 192.168.0.4 which would
    > receives / send traffic from-to 10.3.0.4
    >
    > The problem is that the default route is always the one of the first
    > ISP.
    > How do I tell ASA firewall that packets coming OUT from ip address
    > 192.168.0.4 have a default gateway on interface outside2, route
    > 10.3.0.1 ?
    >
    > On linux I would do this with the "mark" feature of iptables which can
    > be used on routing tables.
    > On a nortel alteon I would do this by creating a secondary gateway on
    > a specific vlan
    > On a sonicwall firewall it is possible to configure routes according
    > to destination and SOURCE ip address.
    >
    > Can Cisco do this kind of things?
    >
    > Thank you for your help
    >
    >

    I am not sure if it is possible in the ASA, but usually, on
    Cisco'router, it can be done with the *route-map* command (specific
    route applied for packets that match an access-list. Extended access
    list can select packets by source IP).
    johan, Sep 3, 2008
    #2
    1. Advertising

  3. In article <>,
    GoogCenter <> wrote:

    >I have an issue with the configuration of an ASA firewall.


    >Currently the configuration is quite basic:


    >outside: 10.1.0.2/255.255.0.0
    >default route: 10.1.0.1


    >inside: 192.168.0.1/255.255.255.0
    >"outside" is configured to a first ISP.


    >I have a web server & smtp server an IP address 192.168.0.3 which
    >receives public traffic from 10.1.0.3 thanks to a static NAT rule.
    >Also when the smtp server sends an email it is "seen" on the outside
    >est 10.1.0.3


    >Now I want to connect an "outside2" interface with network provided by
    >an other ISP:


    >outside2: 10.3.0.2/255.255..0.0
    >router of secondary ISP: 10.3.0.1


    >Then I would configure an other server on 192.168.0.4 which would
    >receives / send traffic from-to 10.3.0.4


    >The problem is that the default route is always the one of the first
    >ISP.
    >How do I tell ASA firewall that packets coming OUT from ip address
    >192.168.0.4 have a default gateway on interface outside2, route
    >10.3.0.1 ?


    You don't, not unless you use Security Contexts and logically
    seperate networks. PIX / ASA does not have source routing.


    The usual way of handling this sort of thing on PIX / ASA
    is to use "reverse NAT" to translate the incoming -source-
    addresses into a 10.3.x.x address. The inside server would
    see the packets with the 10.3.x.x address, and so would reply
    to that address. The PIX / ASA would see that the most direct
    route to 10.3.x.x was through the outside2 interface so it would
    send the packet to that interface. Once at the interface,
    the reverse NAT would be undone, translating the destination addresses
    on the packets to the original address/port combination for transmission
    through outside2.

    On PIX / ASA it is legal for an interface to have both source and
    destination address translation applied to packets.

    However -- if you use this approach, then "new connections" that
    originate at the new server will use the old "outside" interface
    unless you can construct a static route for those connections that
    you do not mind applying to the other servers as well. E.g.,
    if the new server is the only machine authorized to construct
    a DNS server that is to be reached through outside2 then you
    could construct a general host route via outside2 to that destination.
    But if there is some resource that new connections from inside are to
    use "outside" for the old server and "outside2" for the new server,
    then you are going to have to use Security Contexts, or do the
    routing further oute from the PIX / ASA.
    Walter Roberson, Sep 4, 2008
    #3
  4. Walter Roberson wrote:
    > In article <>,
    > GoogCenter <> wrote:
    >
    >> I have an issue with the configuration of an ASA firewall.

    >
    >> Currently the configuration is quite basic:

    >
    >> outside: 10.1.0.2/255.255.0.0
    >> default route: 10.1.0.1

    >
    >> inside: 192.168.0.1/255.255.255.0
    >> "outside" is configured to a first ISP.

    >
    >> I have a web server & smtp server an IP address 192.168.0.3 which
    >> receives public traffic from 10.1.0.3 thanks to a static NAT rule.
    >> Also when the smtp server sends an email it is "seen" on the outside
    >> est 10.1.0.3

    >
    >> Now I want to connect an "outside2" interface with network provided by
    >> an other ISP:

    >
    >> outside2: 10.3.0.2/255.255..0.0
    >> router of secondary ISP: 10.3.0.1

    >
    >> Then I would configure an other server on 192.168.0.4 which would
    >> receives / send traffic from-to 10.3.0.4

    >
    >> The problem is that the default route is always the one of the first
    >> ISP.
    >> How do I tell ASA firewall that packets coming OUT from ip address
    >> 192.168.0.4 have a default gateway on interface outside2, route
    >> 10.3.0.1 ?

    >
    > You don't, not unless you use Security Contexts and logically
    > seperate networks. PIX / ASA does not have source routing.
    >
    >
    > The usual way of handling this sort of thing on PIX / ASA
    > is to use "reverse NAT" to translate the incoming -source-
    > addresses into a 10.3.x.x address. The inside server would
    > see the packets with the 10.3.x.x address, and so would reply
    > to that address. The PIX / ASA would see that the most direct
    > route to 10.3.x.x was through the outside2 interface so it would
    > send the packet to that interface. Once at the interface,
    > the reverse NAT would be undone, translating the destination addresses
    > on the packets to the original address/port combination for transmission
    > through outside2.
    >
    > On PIX / ASA it is legal for an interface to have both source and
    > destination address translation applied to packets.
    >
    > However -- if you use this approach, then "new connections" that
    > originate at the new server will use the old "outside" interface
    > unless you can construct a static route for those connections that
    > you do not mind applying to the other servers as well. E.g.,
    > if the new server is the only machine authorized to construct
    > a DNS server that is to be reached through outside2 then you
    > could construct a general host route via outside2 to that destination.
    > But if there is some resource that new connections from inside are to
    > use "outside" for the old server and "outside2" for the new server,
    > then you are going to have to use Security Contexts, or do the
    > routing further oute from the PIX / ASA.

    Hey Walter,

    I've always respected your knowledge of the PIX. I've never really been
    a fan of the PIX, but it's what I have now and I'm wondering if the ASA
    is worth reconsidering...alas, that's another story. :)

    Could you talk some more about the "reverse NAT" idea? Wouldn't the PIX
    complain that the 10.3.x.x address was already being NAT'd at the
    Outside interface? How would I actually configure your example?
    fugettaboutit, Sep 4, 2008
    #4
  5. GoogCenter

    GoogCenter Guest

    On Sep 4, 8:43 am, (Walter Roberson) wrote:
    > In article <>,
    >
    >
    >
    > GoogCenter  <> wrote:
    > >I have an issue with the configuration of an ASA firewall.
    > >Currently the configuration is quite basic:
    > >outside: 10.1.0.2/255.255.0.0
    > >default route: 10.1.0.1
    > >inside: 192.168.0.1/255.255.255.0
    > >"outside" is configured to a first ISP.
    > >I have a web server & smtp server an IP address 192.168.0.3 which
    > >receives public traffic from 10.1.0.3 thanks to a static NAT rule.
    > >Also when the smtp server sends an email it is "seen" on the outside
    > >est 10.1.0.3
    > >Now I want to connect an "outside2" interface with network provided by
    > >an other ISP:
    > >outside2: 10.3.0.2/255.255..0.0
    > >router of secondary ISP: 10.3.0.1
    > >Then I would configure an other server on 192.168.0.4 which would
    > >receives / send traffic from-to 10.3.0.4
    > >The problem is that the default route is always the one of the first
    > >ISP.
    > >How do I tell ASA firewall that packets coming OUT from ip address
    > >192.168.0.4 have a default gateway on interface outside2, route
    > >10.3.0.1 ?

    >
    > You don't, not unless you use Security Contexts and logically
    > seperate networks. PIX / ASA does not have source routing.
    >
    > The usual way of handling this sort of thing on PIX / ASA
    > is to use "reverse NAT" to translate the incoming -source-
    > addresses into a 10.3.x.x address. The inside server would
    > see the packets with the 10.3.x.x address, and so would reply
    > to that address. The PIX / ASA would see that the most direct
    > route to 10.3.x.x was through the outside2 interface so it would
    > send the packet to that interface. Once at the interface,
    > the reverse NAT would be undone, translating the destination addresses
    > on the packets to the original address/port combination for transmission
    > through outside2.
    >
    > On PIX / ASA it is legal for an interface to have both source and
    > destination address translation applied to packets.
    >
    > However -- if you use this approach, then "new connections" that
    > originate at the new server will use the old "outside" interface
    > unless you can construct a static route for those connections that
    > you do not mind applying to the other servers as well. E.g.,
    > if the new server is the only machine authorized to construct
    > a DNS server that is to be reached through outside2 then you
    > could construct a general host route via outside2 to that destination.
    > But if there is some resource that new connections from inside are to
    > use "outside" for the old server and "outside2" for the new server,
    > then you are going to have to use Security Contexts, or do the
    > routing further oute from the PIX / ASA.


    Thank you for the advice. I understand now that PBR is not supported
    on ASA. This is a pity given the cost of the device.
    If I understand well your technique, this mean I loose the public Ip
    address on my servers, which is not acceptable for me.

    Thanks again,

    Olivier
    GoogCenter, Sep 5, 2008
    #5
  6. In article <>,
    GoogCenter <> wrote:

    >Thank you for the advice. I understand now that PBR is not supported
    >on ASA. This is a pity given the cost of the device.
    >If I understand well your technique, this mean I loose the public Ip
    >address on my servers, which is not acceptable for me.


    You are correct: if you use source address NAT in order to force
    the reply packets to go out a particular interface, then the
    inside servers will see the NAT'd address, not the public address
    of the client. That is acceptable in some circumstances and
    not acceptable in others. For example -sometimes- all you care about
    is having the theoretical capacity to track the public IP of
    someone abusing a service, and the public IPs can be dug out of
    the PIX / ASA connection logs if the logging level is 6
    (or the appropriate messages are pushed to a higher priority
    than usual using 'logging message'.) But other times you
    really want original IPs to the server; in such a case, source
    NAT would not work and the Cisco method of handling this case
    with the ASA would be to use Security Contexts.
    Walter Roberson, Sep 5, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nicolai
    Replies:
    3
    Views:
    1,019
    Nicolai
    Mar 2, 2006
  2. networksecurity
    Replies:
    3
    Views:
    4,862
  3. Chad

    ASA 5520 and DMVPN

    Chad, Oct 5, 2006, in forum: Cisco
    Replies:
    2
    Views:
    6,314
    Everyman
    Oct 9, 2006
  4. Bryan

    ASA 5520 Client VPN Filter

    Bryan, Nov 28, 2006, in forum: Cisco
    Replies:
    1
    Views:
    2,226
    Bryan
    Nov 28, 2006
  5. Replies:
    1
    Views:
    529
    rameshhx
    Feb 22, 2009
Loading...

Share This Page