I have a few sites that are using Cisco 5510 ASA’s. Cisco’s ASA5510 latest supported IOS version is 9.7. Cisco released PBR (policy based routing) in version 11. The 5510 cant be upgraded that high.
Some of my ASA’s have a lot going on, IPSEC tunnels, port forwarding, etc. I would like to keep them for now as firewalls. I may upgrade them to newer ASA or firepower devices, but for now I would like to make the 5510’s work.
Each of these sites are getting additional faster internet connections and my need to use policy based routing is becoming more of a reality. ex. specific destination map (public IP block) would use ISP2 and all other traffic would use ISP1
I have all kinds of Mikrotik gear including some CCR-1016-12S cloud core routers. I am thinking about putting the CCR in front of the ASA to do the policy based routing… like we used to do with Cisco 1841 integrated services routers etc.
I’m looking for any in site to this configuration. Thanks!
I opened a TAC ticket to ask the question… can the ASA with 9.4 perform policy based routing, because i found this
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html
I still would like to set this op using my CCR’s
If anyone has any pointers I am all ears.. and thank you!
IOS is totally different than the ASA code trains as you’ve now found out. ASA supports it from 9.4 which your ASAs cannot run. The CCR platform can do the policy aspect. In particular what are you looking to do? Direct web traffic out one pipe and other types of traffic out the other? If you are simply looking for failure the ASA can do that with route tracking.
Thanks for the reply,
you are correct.. the 5510 will not run the 9.4 train.
Until i can replace them with newer i plan to implement a CCR in front of the ASA.
The ASA will continue to do NAT, VPN termination (IPSEC and AnyConnect) and the Port forwarding to internal resources and Firewall.
In front of it I will place a CCR configured purely as a router. The CCR will have 3 active interfaces, one interface for each Internet service providers incoming connection and one interface facing inwards towards my ASA. The network between my ASA and inside interface of the CCR will be a private network range. The two ISP facing interfaces will use an public IP from the blocks given by the ISP. I will have to then re-configure the ASA considerably but that shouldn’t be too difficult.
I am looking to configure for fail over and for policy based routing outgoing… so say all internal traffic going to Azure or AWS IP’s use this ISP etc.
Another issue with these 5510’s is that their max throughput is 300Mbps and I am looking at installing some 1Gbps connections.