Daniel, this is a great question, in my understanding, route map (source based routing) on ASA is possible only for OSPF dynamic routing purpose, so I don't know how to solve your problem, that is my problem too.
I hope someone can help us t figure out how to do it. -- Paolo Riviello Mob. +39.328.1749468 Home: http://www.paoloriviello.com E-mail: [EMAIL PROTECTED] E-mail & msn: [EMAIL PROTECTED] Skype: pao_rivi If men could get pregnant, abortion would be a sacrament. -H- >From: "Butts, Daniel" <[EMAIL PROTECTED]> >To: <[email protected]> >Subject: [c-nsp] ASA Routing Question >Date: Tue, 26 Jun 2007 17:41:24 -0700 > >I have an ASA 5510 with 4 interfaces. I'd like to have one internal and >three external (connected to seperate DSL modems). I would also like to >divide my inbound and outbound traffic across these three connections: > >dsl 1 for SMTP, FTP, VPN (site-to-site and client) >dsl 2 for Internet facing web servers >dsl 3 Internet browsing for LAN machines > >On the inside of the network I can logically separate the machines by VLAN >so that they are easy to distinguish in ACLs. The inbound access seems >straight forward since I can set up static NATs for each of the machines I >need to reach from their respective DSL connections. I can also NAT and/or >PAT the outbound traffic and restrict it to a particular outbound iterface >on the ASA using ACLs. >What I can't figure out is how to direct the outbound traffic out the >correct ASA interface. Although I can set a default route on each of the >interfaces it appears to always use the first non-shut interface with a >default gateway (in this case dsl1). > >For example--- > >The default routes on the ASA are: >route dsl1 0 0 x.x.x.1 1 >route dsl2 0 0 y.y.y.1 1 >route dsl3 0 0 z.z.z.1 1 > >The internal subnets are: >10.0.x.0 >10.0.y.0 >10.0.z.0 > >The ACLs look like: >access-list x2out permit tcp 10.0.x.0 255.255.255.0 any >access-list y2out permit tcp 10.0.y.0 255.255.255.0 any >access-list z2out permit tcp 10.0.z.0 255.255.255.0 any > >The ACLs would be applied like: >nat (inside) 1 access-list x2out 0 0 >global (dsl1) 1 x.x.x.2 netmask 255.255.255.255 >nat (inside) 2 access-list y2out 0 0 >global (dsl2) 2 y.y.y.2 netmask 255.255.255.255 >nat (inside) 3 access-list z2out 0 0 >global (dsl3) 3 z.z.z.2 netmask 255.255.255.255 > >Will it match the ACL for the correct interface based on the source address >(of the internal subnet), then NAT to the subnet of the appropriate >interface, then send the traffic to that default route? > >or > >Will it match the first default gateway, try to match the taffic to that >ACL and the fail for all traffic except 10.0.x.0? > >Is this an impossible scenario? Am I over thinking this? > >This email may contain material that is confidential, privileged, and/or >attorney work product for the sole use of the intended recipient. Any >review, reliance, or distribution by others or forwarding without express >permission is strictly prohibited. If you are not the intended recipient, >please contact the sender and delete all copies. >_______________________________________________ >cisco-nsp mailing list [email protected] >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Push the button! Crea il tuo blog e fatti vedere... http://pushthebutton2006.spaces.live.com/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
