Two inside interfaces?

Unanswered Question
Oct 26th, 2007

In a typical WAN scenario a WAN router would be connected to two Distribution Routers/Layer-3 switches for redundancy using routed (/30) Layer-3 links and be running an IGP (EIGRP or OSPF). If one of these links fails there is generally rapid failover and everything is happy...

If I replace this router for a PIX/ASA can I have this same scenario? i.e. two inside interfaces to the same internal networks?

Traffic from the same internal hosts could arrive on either 'inside' interface in the WAN router scenario due to equal-cost paths - is this possible with the PIX/ASA?

My understanding is the PIX creates state based on the source and destination interfaces and therefore allows the relevant traffic. If the sources traffic should arrive on different inside interfaces can this work?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pjhenriqs Mon, 10/29/2007 - 03:59

Hi Andy,

The ASA's usually have 4 ports so you can configure two different inside interfaces. They would have to be on different subnets though.

The PIX usually have just one inside port and one outside port. In this case you would be forced to configure two sub-interfaces for the inside network (needing another device to split the VLAN traffic conveniently). Again, on different subnets.

All traffic that goes from a higher security level interface to a lower security itnerface is allowed by default.

I am not sure what is exactly that you need but I hope this helps somewhat.

andrew.butterworth Thu, 11/01/2007 - 09:16

I think you have misunderstood my scenario. I have an ASA with two /30 Inside interfaces (Inside-1 and Inside-2) and a single Outside interface. OSPF is running on both the inside interfaces and there are equal-cost routes both ways (i.e. ASA injects an E2 default route with the same metric to both OSPF neighbors, both OSPF neighbors advertise equal-cost routes to internal IP networks to the ASA).

This means traffic from an internal Host going through the ASA can arrive on either interface. Can this work?

I thought the ASA created state based on source/destination interfaces? If a converstation starts on Inside-1 and then due to routing the traffic moves and arrives on Inside-2 will it not confuse the ASA? This is the behaviour I think I am seeing. I haven't tested it too thoroughly yet as it's just in a Lab. Currently the 2nd Inside interface is disabled as traffic was intermittent with it enabled.



pjhenriqs Thu, 11/01/2007 - 09:42

Hi Andy,

So you are NATing both inside networks (inside-1 and inside-2) to the outside address of the ASA?

In theory, I believe the ASA would translate using a port number so the return traffic would know which translation it should use.

I'm not seeing why it would cause a conflict but just to be sure you might want to translate the inside-1 address to an address on an outside pool and a different address for inside-2.



andrew.butterworth Thu, 11/01/2007 - 09:48

That wouldn't work. If traffic from Host A arrived on Inside-1 and was NAT'd to the Outside interface with address X. If Host A traffic then arrived on Inside-2 to go out it would get NAT's to address Y? This can't work as the external host would see two connections trying to be one.

I think I am going to have to adjust the routing so only one Inside interface is used and the 2nd Inside interface is a 'backup' with a high metric.


andrew.butterworth Fri, 11/02/2007 - 16:35

This is all in a Lab so we can do whatever we want really... I was just trying to replicate what I would normally do with a router. Thanks for confirming my original thoughts - i.e. that it won't work. I'll play around with the routing and make the 2nd link a 'backup' using a high metric.



This Discussion