Solved: ASA 5510 Configuration. how to configure 2 outside interface.

Lost & Found · ‎04-23-2015

Hi

I Have Cisco 5510 ASA and from workstation I want create a new route to another Router (Outside) facing my ISP.

From Workstation I can Ping ASA E0/2 interface but I cant ping ISP B router inside and outside interface.

I based all my configuration on the existing config. which until now is working

interface Ethernet0/0
description outside interface
nameif outside
security-level 0
ip address 122.55.71.138 255.255.255.2
!
interface Ethernet0/1
description inside interface
nameif inside
security-level 100
ip address 10.34.63.252 255.255.240.0
!
interface Ethernet0/2
description outside interface
nameif outsides
security-level 0
ip address 121.97.64.178 255.255.255.240
!

global (outside) 1 interface

global (outsides) 2 interface ( I created this for E0/2)
nat (inside) 0 access-list nonat

nat (inside) 1 10.34.48.11 255.255.255.255 (Working: To E0/0 to Router ISP A inside and outside interface)

nat (inside) 2 10.34.48.32 255.255.255.255 (Working: To E0/2 to Router ISP A inside interface only but outside cant ping).

route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (Working)

route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (Test For New Route)

ISP Router A working Can ping and I can access the internet

interface FastEthernet0/0
description Connection to ASA5510
ip address 122.55.71.139 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
duplex auto
speed auto
!
interface S0/0
ip address 111.54.29.122 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
!
ip nat inside source static 122.55.71.139 111.54.29.122
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0

ISP 2

interface FastEthernet0/0 ( ASA Can ping this interface)
description Connection to ASA5510
ip address 121.97.64.179 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
duplex auto
speed auto
!
interface E0/0 ( ASA Can 't ping this interface)
ip address 121.97.69.122 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
!
ip nat inside source static 121.97.64.179 121.97.69.122
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 E0/0

CABLES

ASA to ISP Router B ( Straight through Cable)

ISP Router to IDU ( Straight through Cable)

Hope you could give some tips and solution for this kind of problem thanks

Vibhor Amrodia · ‎04-23-2015

Hi,

Are you able to ping the router interface IP from the ASA device ? If yes , try a packet trace on the ASA device for the traffic for the router IP address.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎04-23-2015

Hi,

You can only use a single Default route on the ASA device.

Now , as per your requirement ,

route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (Test For New Route)

(Why do you have this route on the ASA device ?) I see this in the Inside interface Subnet.

Route lookup would be Destination based.

Are you looking to route specific traffic out thru the "outsides" interface ?

If yes , this configuration would not work unless you use some workaround configuration on the ASA device.

Refer:-

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa

https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options

Thanks and Regards,

Vibhor Amrodia

Lost & Found · ‎04-23-2015

Hi yes I want to route outside using the 2 outside interface of the firewall so that I can use both outside interface.

Please see the attached picture for reference. just disregard all the ip addresses.

thanks

Vibhor Amrodia · ‎04-23-2015

Hi,

Although , PBR has been introduced but that will not be supported on this ASA device.

The only workaround is there in the URL link that i provided to you earlier.

Thanks and Regards,

Vibhor Amrodia

Vibhor Amrodia · ‎04-23-2015

Hi,

Are you able to ping the router interface IP from the ASA device ? If yes , try a packet trace on the ASA device for the traffic for the router IP address.

Thanks and Regards,

Vibhor Amrodia

Lost & Found · ‎04-24-2015

Hi,

Yes From firewall i can ping Router inside and outside interface.

Regarding to packet trace It's not enable on my ASA but when I try to enable it there are some commands not supported by my version.

thanks

Lost & Found · ‎04-23-2015

But For now I want to ping my Router B inside and outside interface. but it seems that firewall is not passing or may be the router is not permitting my packet from my workstation.

-mtu outsides 1500
-icmp permit any outsides

-global (outsides) 2 interface
-nat (inside) 2 10.34.50.32 255.255.255.255
-route outsides 0.0.0.0 0.0.0.0 121.97.64.179 2 (Router Inside Interface)
-route inside 10.34.50.0 255.255.255.0 10.34.63.254 1

Please see the attached file. Test ping