Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
2
Replies

ASA with 2 outside interfaces: routing problem

robmas0871
Level 1
Level 1

‎04-04-2009 07:32 PM - edited ‎03-11-2019 08:14 AM

Hi,

i have an ASA 5520 with 2 outside interfaces connected with 2 ISP's that are both active at same time (so this is NOT a typical ISP backup described in ASA documentation).

ISP1 (interface outside1)is used for web publishing sites, ISP2 (interface outside2)is used for client web browsing.I configure default gateway on "outside2" to allow clients to access web trought ISP2

I MUST publish web sites on "ouside1" so my problem is:

- i have requests for web sites coming from Internet trought ISP1, entering to "outside1" and going trought Static NAT between "outside1" and DMZ.

- the response packet (from web server on DMZ to client) could be going out trought "outside2" because of default gateway set on this interface.

- so the web traffic is incoming from one outside interface (outside1)and going out trought the other one (outside2)...this could be a problem!!! (i know ASA does not support policy routing)

My question is:

- is possible that ASA, seeing that traffic is coming from outside1, routes the web response trought the same interface without using the default gateway ?

I supposed that (i'm not sure):

- the ASA opens a connection slot with "outside1" and DMZ when the web request arrives.

- when the response is coming back from the web server to the client, the ASA remembers that connection originates from "outside1" and routes the packet to this interface even if "default gateway" is on the other interface.

- in addition, there is also the xlate table that records the NAT between

"outside1" and DMZ...and maybe this could be another condition that forces the ASA to respond on this interface.

Is this the behaviour of the firewall or it routes traffic always on the default gateway ? Thank you very much in advantage.

Roberto.

Labels:
0 Helpful
2 Replies 2

vikram_anumukonda
Level 3
Level 3

‎04-04-2009 08:56 PM

It will always route traffic using the default-gateway

Check this link http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1102444

I am not quite sure if this works - but if you have a downstream router connected to the DMZ Lan with your webservers behind that router, policy-routing on that router for return traffic from your webservers might help.

0 Helpful

roshan.maskey
Level 1
Level 1

‎04-05-2009 05:29 PM

hi,

The cisco documents states, when there is xlate or static nat, traffic uses the egress interface as that of translated interface.

Now, do you have default route with next hope address pointing ISP1(outside1).

Try adding two default routes 1 via outside1 and one via outside2. Check routing table.

And there should not be any problem in internet browsing because as client computer try browsing, by Dynamic NAT rule, outside2 will be chosen.

So, hope that will work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card