2 default routes

Unanswered Question
Jul 21st, 2009

I have cisco 3560 switch and I configured vlans on it,

my switch is attached with Cisco ASA 5510

in the ASA there are 3 interfaces, DMZ, Inside and Outside

I configured default route on switch towards cisco ASA,

Internet is attached with cisco router which is connected very next to ASA,,

I want to use another internet connection on cisco switch,

to do so, I attached my DSL internet on a free port and added another default route towards DSL modem

this route is towards ASA

ip route

this route is towards DSL Modem

ip route

as soon I add second default route, I disconnects with my internal network + gets very poor response from DSL modem

Please advise

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 07/21/2009 - 02:09

Hello Junais,

you should add specific static routes for your internal network pointing to ASA or other next-hop towards internal network


ip route

Hope to help


junshah22 Tue, 07/21/2009 - 02:29

Giuseppe thanks for your urgent reply,

I tried to add static routes for my internal network and default route for Internet but it shows me error message (inconsistent address and mask)

My Switch port attached with ASA

ASA port attached with switch

DMZ interface on ASA

servers are on DMZ

servers ip address range (

Outside interface on ASA connected with cisco 2811 router

Cisco 2811 router connected wit ASA

Vlans are configured on switch 2-10

vlan 2 ip address

vlan 3 ip address

and so on

when I add a static route on switch

ip route

it shows me a error message (inconsistent address and mask)

Please advise



nate-miller Tue, 07/21/2009 - 05:43

The mask is inconsistent- are you trying to add a route for a single host, or the subnet?

try ip route

The switch was confused because in you route statement you've mentioned two different things- point the route for a particular host ( with a subnet mask indicating a /24 -

You want to either point everything starting with 192.168.1.x towards this route (use a mask) or just the single address ( towards this next hop.

I'd revisit your dual-attached interenet strategy and describe what it is you're trying to accomplish. You're going to load balance connections through the ASA and the DSL connection to the internet, and the ASA isn't going to be happy about it.

Some traffic will start by establishing a connection to the DSL router, and get a NATed address- then the next packet in this conversation might go out the ASA. Two things are going to happen:

The ASA is going to think, "I don't have this connection in my table. Drop the packet."

Even if the ASA did let the packet out, your 2811 would then NAT the packet and send it out to the destination- but now the recieving web page isn't going to realize that this packet (with a different NAT address) is any way related to your other session- and stuff is going to break and get really miserable.

If you have a valid need for the DSL router, you need to figure out what it is, and set up some sort of policy route for it.

If the goal is a 'backup connection', then I'd move it outside the ASA, and set up policy routing on the ASA to pick one, then the other.

If the goal is something else... you've got your work cut out for you. :)


This Discussion