Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA with 2 outside interfaces: routing problem

Hi,

i have an ASA 5520 with 2 outside interfaces connected with 2 ISP's that are both active at same time (so this is NOT a typical ISP backup described in ASA documentation).

ISP1 (interface outside1)is used for web publishing sites, ISP2 (interface outside2)is used for client web browsing.I configure default gateway on "outside2" to allow clients to access web trought ISP2

I MUST publish web sites on "ouside1" so my problem is:

- i have requests for web sites coming from Internet trought ISP1, entering to "outside1" and going trought Static NAT between "outside1" and DMZ.

- the response packet (from web server on DMZ to client) could be going out trought "outside2" because of default gateway set on this interface.

- so the web traffic is incoming from one outside interface (outside1)and going out trought the other one (outside2)...this could be a problem!!! (i know ASA does not support policy routing)

My question is:

- is possible that ASA, seeing that traffic is coming from outside1, routes the web response trought the same interface without using the default gateway ?

I supposed that (i'm not sure):

- the ASA opens a connection slot with "outside1" and DMZ when the web request arrives.

- when the response is coming back from the web server to the client, the ASA remembers that connection originates from "outside1" and routes the packet to this interface even if "default gateway" is on the other interface.

- in addition, there is also the xlate table that records the NAT between

"outside1" and DMZ...and maybe this could be another condition that forces the ASA to respond on this interface.

Is this the behaviour of the firewall or it routes traffic always on the default gateway ? Thank you very much in advantage.

Roberto.

2 REPLIES

Re: ASA with 2 outside interfaces: routing problem

It will always route traffic using the default-gateway

Check this link http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1102444

I am not quite sure if this works - but if you have a downstream router connected to the DMZ Lan with your webservers behind that router, policy-routing on that router for return traffic from your webservers might help.

New Member

Re: ASA with 2 outside interfaces: routing problem

hi,

The cisco documents states, when there is xlate or static nat, traffic uses the egress interface as that of translated interface.

Now, do you have default route with next hope address pointing ISP1(outside1).

Try adding two default routes 1 via outside1 and one via outside2. Check routing table.

And there should not be any problem in internet browsing because as client computer try browsing, by Dynamic NAT rule, outside2 will be chosen.

So, hope that will work.

328
Views
0
Helpful
2
Replies
CreatePlease login to create content