Solved: ASA 5520 - No Default Route Per Interface?

jickfoo · ‎05-10-2010

I have 2 internal interfaces. The actual LAN interface and the Management interface.

I want each of these interfaces to respond to traffic sent to each respectively.

For some reasons I can't set default routes for each interface.

Can anyone drop some wisdom on me on how to make this happen?

Thanks,

Justin

Jon Marshall · ‎05-10-2010

Justin

What switch do you have the management interface connected into ? I ask because if it is a 6500 then you can NAT the source IPs to the vlan interface that connects to the management interface vlan so that traffic is always returned correctly.

Unfortunately if it isn't a 6500 then NAT is not supported on catalyst switches.

Jon

View solution in original post

Federico Coto Fajardo · ‎05-10-2010

Hi,

If you're configuring default gateways via different interfaces on the ASA, the routes must have different metric (so that only one is used at any given time).

If you want to use multiple (up to three) default gateways with the same metric (they should be defined through the same interface of the ASA).

Check this out:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/route_static.html#wp1142906

Federico.

jickfoo · ‎05-10-2010

Hi Thanks,

I did read that but am still confused.

I am doing separate interfaces. 1 for internal data, 1 for internal management.

If I set the internal data metric with a lower cost, wont that that influence traffic leaving the internal management interface?

Thanks,

Justin

Federico Coto Fajardo · ‎05-10-2010

If you have two interfaces:

Inside

Management

route inside 0 0 x.x.x.x 10

route management 0 0 y.y.y.y 100

Then, all traffic that the ASA receives for which it does not have a matching entry in the IP routing table, will be sent through the inside interface. If this interface fails, the traffic will be sent through the management interface (there will be no load-balancing). You could have some problems with this if not having the IP SLA tracking feature as well.

Normally, you have a deafult route out the outside interface (to the Internet) and only static routes or an IGP running on the rest of the interfaces.

Federico.

jickfoo · ‎05-10-2010

Thanks again,

So traffic destined to the management interface will be replied to by the internal interface?

To me that is odd and not optimal. I want the management interface to respond to management traffic. If the internal NIC goes haywire (but isnt down) I want to be able to manage through the management interface.

Justin

Jon Marshall · ‎05-10-2010

Justin

What switch do you have the management interface connected into ? I ask because if it is a 6500 then you can NAT the source IPs to the vlan interface that connects to the management interface vlan so that traffic is always returned correctly.

Unfortunately if it isn't a 6500 then NAT is not supported on catalyst switches.

Jon

jickfoo · ‎05-10-2010

It is a 6500 but I dont want to do NAT.

Thanks for your help. I think I'm just going to leave the MGMT int unplugged and plug directly in it if trouble occurs. I'll enable management on the internal NIC.

Seems odd to me as this typically is not how a management port works.