ASA and 2 default routes

Unanswered Question
Feb 27th, 2008

hi there. My ASA (v7)has 3 connected interfaces (e0-outside,e1-inside,e2-dmz) and at present its got a default route setup so that all traffic goes out via int e0(outside). Ive got a 2nd net conenction plugged into interface e2-dmz coffigure with a diff network add to that on inte0 and i would like to add a default route so that all traffic for the dmz network goes out of int e2 I have a questions

1)will the pix let me add another default route to gout via another interface??

When i tried entering the following syntax (route dmz 0 0 i got the message "cant add route entry,possible conflict with existing routes"..please help


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 02/27/2008 - 04:42


Perhaps I have not understood your situation correctly. I think that I understand that you have a connection to outside on E0 with a default route pointing out that interface. I think you explain that you have another network connected on E2 as your DMZ. And I think that you are saying that you want traffic for the DMZ network to go out E2. But it is not clear to me why you are trying to use another default route rather than a route for the network that is on the DMZ.

As you are experiencing the ASA does not allow 2 default routes for 2 different interfaces.



solpandor Wed, 02/27/2008 - 06:07


thanks for the reply, firstly, how did you know my first name?? secondly, the network on the DMZ is from another ISP an i want users connected on the dmz to go out to the net via the dmz (interface/network/2nd ISP whichever u may want to call it) and not the primary interface e0 (which at present is our main internet connection out/in. is this clear??

trueposmis Wed, 02/27/2008 - 11:48

Normally you have an inside and an outside for every flow (not necessarily using those names though). Are you saying that you are going to connect the dmz interface to the public internet and connect clients to the same segment?

Does that describe your problem better? If not can you better explain your topology?

I think you would need to use another interface.

Richard Burts Wed, 02/27/2008 - 12:18


Firstly - I knew your name because I looked at your profile on NetPro. Frequently when I am answering a question I look at the profile of the person who asked the question. Some people create IDs and put names that obviously want to disguise themselves and stay anonymous and in that case I do not try to use a name. But where there appears to be a genuine name I frequently use the name. I believe it promotes a more friendly atmosphere on the forum to do this.

If I am understanding correctly you really have 1 inside interface where users connect and will have 2 interfaces that connect to the outside (effectively 2 outside interfaces and no DMZ). If I am not understanding this correctly then please clarify.

The ASA does not really support 2 equal outside interfaces and 2 default routes to different interfaces. It may be possible to configure a default route to one interface and to configure static routes for various other public networks to use the other interface.

I believe in release 8 the ASA supports the concept of backup interface. But that is not quite what you are looking for I believe.



solpandor Wed, 02/27/2008 - 14:00

rick, you understand it correctly. we will in effect have 2 outside interfaces...and having read on the cisco site under the ASA product configuration doc, and as youve pointed out, this is not allowed...thanks for taking the time to reply...

solpandor Thu, 02/28/2008 - 04:32

As you mentioned i have a default route for all users on the inside network (e1) to go to the net via interface e0(outside) and i want users on the 2nd outside interface (the old dmz) to use its default gateway (that of 2nd ISP) to go to a particular network on the net but i cant get this to work.

I have on the ASA created a global pool (an IP add frm the 2nd isp's range)

global (outside) 20 xx.xx.xx.xx

nat (dmz) 20 xx.xx.xx.xx 255.255.255.xx

!-access list to permit any hosts to go out ---!

access-list DMZ_OUT extended permit ip any any

!-----apply access list to interface inbound ----!

access-group DMZ_OUT in interface dmz

!----static route below to access my pc at home ----!

route dmz xx.xx.xx.xx xx.xx.xx.xx 1

The pc which has an Ip in the public Ip range can ping its default g/w (ip add of the old dmz interface) but i cant telnet to my pc at home

Please help


This Discussion