Routing between interfaces on ASA

Unanswered Question
May 21st, 2008
User Badges:


I have an ASA with three interfaces: inside, outside and otherlan. On altralan there's an EhternetDevice that must be reached from inside, but not from outside.

The relevant part of configuration is:

name A.B.C.D EthernetDevice


interface Vlan1

nameif inside

security-level 100

ip address X.Y.Z.T


interface Vlan2

nameif outside

security-level 0



interface Vlan3

nameif otherlan

security-level 50

ip address A.B.C.E


interface Ethernet0/0


interface Ethernet0/1

switchport access vlan 2


interface Ethernet0/2

switchport access vlan 3



access-list otherlan_access_in extended permit ip host EthernetDevice X.Y.Z.0

access-list inside_access_list extended permit ip X.Y.Z.0 host EthernetDevice

global (outside) 1 interface

global (otherlan) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,otherlan) EthernetDevice EthernetDevice netmask

access-group inside_access_in in interface inside

access-group otherlan_access_in in interface otherlan

route outside X.Y.Z.T 1

EthernetDevice has an embedded HTTP server, which is working, i.e. from a pc on otherlan it's reachable, and it has A.B.C.E as default gateway.

The problem is that I can't reach it from a pc on inside lan, and on ASA log I have the following error:

portmap translation creation failed for tcp src inside:X.Y.Z.P/2461 dst altralan:EthernetDevice/80

I've also tried to use:

global (otherlan) 2 X.Y.Z.4-X.Y.Z.10 netmask

and try to reach from a PC whose IP is in the pool, but no luck too.

What is wrong / haven't I understood ?

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mike-greene Thu, 05/22/2008 - 07:08
User Badges:
  • Bronze, 100 points or more


I think this static is wrong..

static (inside,otherlan) EthernetDevice EthernetDevice netmask

It should be

static (inside,otherlan) X.Y.Z.T X.Y.Z.T netmask


smitty6504 Thu, 05/22/2008 - 07:55
User Badges:

This is a limitation of the ASA. You can not have 2 active routes to the outside. You can have a primary link to the outside and a backup link that monitors the interface for an outage.


This Discussion