ASA with 2 outside interfaces: routing problem

Unanswered Question
Apr 4th, 2009
User Badges:

Hi,

i have an ASA 5520 with 2 outside interfaces connected with 2 ISP's that are both active at same time (so this is NOT a typical ISP backup described in ASA documentation).

ISP1 (interface outside1)is used for web publishing sites, ISP2 (interface outside2)is used for client web browsing.I configure default gateway on "outside2" to allow clients to access web trought ISP2

I MUST publish web sites on "ouside1" so my problem is:

- i have requests for web sites coming from Internet trought ISP1, entering to "outside1" and going trought Static NAT between "outside1" and DMZ.

- the response packet (from web server on DMZ to client) could be going out trought "outside2" because of default gateway set on this interface.

- so the web traffic is incoming from one outside interface (outside1)and going out trought the other one (outside2)...this could be a problem!!! (i know ASA does not support policy routing)

My question is:

- is possible that ASA, seeing that traffic is coming from outside1, routes the web response trought the same interface without using the default gateway ?

I supposed that (i'm not sure):

- the ASA opens a connection slot with "outside1" and DMZ when the web request arrives.

- when the response is coming back from the web server to the client, the ASA remembers that connection originates from "outside1" and routes the packet to this interface even if "default gateway" is on the other interface.

- in addition, there is also the xlate table that records the NAT between

"outside1" and DMZ...and maybe this could be another condition that forces the ASA to respond on this interface.

Is this the behaviour of the firewall or it routes traffic always on the default gateway ? Thank you very much in advantage.


Roberto.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vikram_anumukonda Sat, 04/04/2009 - 20:56
User Badges:
  • Bronze, 100 points or more

It will always route traffic using the default-gateway


Check this link http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1102444



I am not quite sure if this works - but if you have a downstream router connected to the DMZ Lan with your webservers behind that router, policy-routing on that router for return traffic from your webservers might help.

roshan.maskey Sun, 04/05/2009 - 17:29
User Badges:

hi,


The cisco documents states, when there is xlate or static nat, traffic uses the egress interface as that of translated interface.


Now, do you have default route with next hope address pointing ISP1(outside1).


Try adding two default routes 1 via outside1 and one via outside2. Check routing table.


And there should not be any problem in internet browsing because as client computer try browsing, by Dynamic NAT rule, outside2 will be chosen.


So, hope that will work.

Actions

This Discussion