please let me hear your experiences about this matter: in Cisco ASA you can have for example two default routes to Internet using two ISP's links with different "distance" and when the primary route becomes unavailable the secondary takes place. Current ASA's configuration has a NAT definition with public IP address belonging to the secondary link that is exclusively used for a web service, today everything goes fine incoming request and replies from web server are going over the secondary link. Now I need to replicate that configuration in the MFE then I defined the NAT in the same way as ASA's configuration and when I tried to add an additional default route in the MFE in the form "destination 0.0.0.0 mask 0.0.0.0" the system rejects that with an error message. I read about the failover route in Static Routing definitions but my concern is if the MFE firewall will consider the failover link as available even when the primary route is still "alive".
Do you have any experience like this?
Thanks very much in advance for your opinions and suggestions.
What you are describing sounds to me to be very much like policy-based or protocol-based routing (depending on your familiarity with the term), where routes are created based either on source criteria or protocol criteria. This would allow you to route traffic for your web server, or maybe all of your SMTP mail traffic, via a secondary WAN/Internet connection instead of the default gateway.
This is something where the MFE product is sadly lacking. You can only create static routes based on destination network critera. This works if all of your SMTP traffic is, for example, sent via an external smart host. You can create a static route for that smart host and set the gateway to point to your secondary internet router. But, for static routing, that's about it.
MFE's implemtation of a secondary defatult gateway is for basic link failover. The secondary default gateway only comes into the equation if the probe tests for the primary link show it to be down. Even then, as far as I am aware, it doesn't automatically fail back when the primary link becomes available again - you must instigate a manual failover event (presumably by disconnecting the second WAN router) for traffic to be sent back out via the primary default gateway.
Hi Phil, thanks for your reply!
I'm aware of policy based routing well known as PBR in Cisco's world. At first when customer told me about how that web service works I though the same as you, it is PBR! there is no way no surpass the default route with anything than PBR, but surprisingly there is no PBR configured in the ASA firewall. Nevertheless your reply about how to deal with MFE and how to route particular traffic gave an idea and I'll try it asap.
When I have news I promise to post it here.