Varun

How does this work ?

For a start i thought the ASA did not support multiple default-routes pointing out of different interfaces.

And even if it did how does the NAT setup for 172.16.x.0 "tie" it to the outside_new interface ?  Because doesn't the routing define which interface is used for NAT ie. assuming you could have 2 default-routes to different interfaces - 

172.16.5.1 comes in on the inside wirth destination any address. How does the ASA know to use the default-route pointing to 2.2.2.2 ?

Are yoy saying the default-route via 1.1.1.1 is rejected because there is no global (outside) 2 corresponding config ?

Jon

Ooops I must have mixed it up, what I wanted to was:

route outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

I mixed it up   But my advise still remains, its just a workaround and not a tested thing, even I have never tested it, so the result might differ, from setup to setup and router shoudl only be used for tyhis purpose.

Glad you pointed it out, nothing beats your eye

Varun

No problem and believe me i mix things up quite often myself

To be honest i am posting for my own clarification on this as much as anything else. And its the NAT config i am intrigued by.

With your config when a packet comes in on the inside interface from 172.16.5.1 with a destination of 15.15.15.1 the routing table is looked up and the routes chosen is via the outside interface ie. next-hop 1.1.1.1. But there is no corresponding global ie.

nat (inside) 2 172.16.x.0 255.255.0.0

but there is no global (outside) 2  statement so  i would have thought the ASA would simply drop the packet because it cannot NAT it.

If the destination was for 130.15.15.1 for example then yes it would work.

Just want to be sure i am not misunderstanding how the nat/global routing interactions wortk.

Edit - will Cisco ever support PBR for the ASA, seems like these sort of questions come up all the time

Jon

Hi Jon and Varun!

Thank you both :-)

I have the same exact doubt as Jon.

This config won't work:

nat (inside) 2 172.16.x.0 255.255.255.0

global (new_outside) 2 interface

route new_outside 0 0 y.y.y.y 2

Because (i think) the fact of a better route in the routing table (AD of 1)

The ASA won't let me allow this:

route new_outside 0 0 y.y.y.y 1 --> complains about the route

Federico.

Hi Federico

No that definitely won't work. You cannot have multiple default-routes pointing out of different interfaces on the ASA. You can have multiple default-routes pointing out of the same interface but that wouldn't help in your situation.

I agree with Varun that the ASA really isn't designed to be a load-balancer and as it doesn't support PBR you really are going to struggle doing this. What you need is PBR on a router(s) that are outside of the ASA but if your ISP controls those routers there is not a lot you can do.

Jon

Yes thats correct what Jon pointed out and I think your situation is different to whats mentioned in the doc, the doc is if half of the network needs to be sent through ISP1 and the other half from ISP2:

route outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

Have a look at the network and subnet masks being used.

I don't think so it shoudl work the way we are trying to, since I ahev also never tested it. The only thing that I have tested is if your 172.16.x.0 is connected behind another interface rqather than inside, lets say inside_2, then this can be accomplished:

static (new_outside,inside_2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside_2

In teh config above, we are using the static command to route the traffic through new_outside.

Varun

Hi,

I agree with you both, and I really don't like the situation ;-)

But I'm wondering why the following won't work:

route new_outside 128.0.0.0 128.0.0.0 y.y.y.y 1

route new_outside 0.0.0.0 128.0.0.0 y.y.y.y 1

I agree the ASA is not supposed to do this, but just wondering why it does not work like the logic says.

I thought with the above (don't have two default gateways out two different interfaces), just have two routes via ISP2 sending ''all'' traffic out. With the proper NAT configuration?

Thank you guys again for all your input  :-)

I am more clear now :-)

So, besides being an awful solution with the ASA as we all know, it is not even possible correct?

Just to confirm since ''not supported'' does not neccessarily means ''can't possibly do it''!

Thank you,

Federico.

Thank you both guys!

Cheers!

Federico.