ASA 5520 - No Default Route Per Interface?

Answered Question
May 10th, 2010
User Badges:

I have 2 internal interfaces. The actual LAN interface and the Management interface.


I want each of these interfaces to respond to traffic sent to each respectively.


For some reasons I can't set default routes for each interface.


Can anyone drop some wisdom on me on how to make this happen?


Thanks,

Justin

Correct Answer by Jon Marshall about 6 years 10 months ago

Justin


What switch do you have the management interface connected into ? I ask because if it is a 6500 then you can NAT the source IPs to the vlan interface that connects to the management interface vlan so that traffic is always returned correctly.


Unfortunately if it isn't a 6500 then NAT is not supported on catalyst switches.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 05/10/2010 - 09:06
User Badges:
  • Green, 3000 points or more

Hi,


If you're configuring default gateways via different interfaces on the ASA, the routes must have different metric (so that only one is used at any given time).

If you want to use multiple (up to three) default gateways with the same metric (they should be defined through the same interface of the ASA).


Check this out:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/route_static.html#wp1142906


Federico.

jickfoo Mon, 05/10/2010 - 09:10
User Badges:

Hi Thanks,


I did read that but am still confused.


I am doing separate interfaces. 1 for internal data, 1 for internal management.


If I set the internal data metric with a lower cost, wont that that influence traffic leaving the internal management interface?


Thanks,

Justin

Federico Coto F... Mon, 05/10/2010 - 09:15
User Badges:
  • Green, 3000 points or more

If you have two interfaces:


Inside

Management


route inside 0 0 x.x.x.x 10

route management 0 0 y.y.y.y 100


Then, all traffic that the ASA receives for which it does not have a matching entry in the IP routing table, will be sent through the inside interface. If this interface fails, the traffic will be sent through the management interface (there will be no load-balancing). You could have some problems with this if not having the IP SLA tracking feature as well.


Normally, you have a deafult route out the outside interface (to the Internet) and only static routes or an IGP running on the rest of the interfaces.


Federico.

jickfoo Mon, 05/10/2010 - 09:29
User Badges:

Thanks again,


So traffic destined to the management interface will be replied to by the internal interface?


To me that is odd and not optimal. I want the management interface to respond to management traffic. If the internal NIC goes haywire (but isnt down) I want to be able to manage through the management interface.


Justin

Correct Answer
Jon Marshall Mon, 05/10/2010 - 10:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Justin


What switch do you have the management interface connected into ? I ask because if it is a 6500 then you can NAT the source IPs to the vlan interface that connects to the management interface vlan so that traffic is always returned correctly.


Unfortunately if it isn't a 6500 then NAT is not supported on catalyst switches.


Jon

jickfoo Mon, 05/10/2010 - 10:17
User Badges:

It is a 6500 but I dont want to do NAT.


Thanks for your help. I think I'm just going to leave the MGMT int unplugged and plug directly in it if trouble occurs. I'll enable management on the internal NIC.


Seems odd to me as this typically is not how a management port works.

Actions

This Discussion