ASA5510 - Multiple Outside Interfaces


We have added our second WAN circuit into the ASA. However, I can't ping the new gateway or the test destination from the ASA. No ARP entry on the new interface. Is this a licensing/version issue or I'm missing something?

Version 7.0(8)

This platform has a Base license

interface Ethernet0/1

nameif outside-new

security-level 0

ip address X.X.X.178

route outside-new X.X.X.177

ping outside-new X.X.X.177

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 0 percent (0/5)

ping outside-new

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 0 percent (0/5)

sh route

S [1/0] via 189.108.X.X, outside

S [1/0] via X.X.X.177, outside-new

S    X.X.X.X inside

C    X.X.X.X is directly connected, inside

C    189.108.X.X is directly connected, outside

C    X.X.X.176 is directly connected, outside-new

sh arp

        outside X.X.X.X 001b.d5f0.64ba 53

        inside X.X.X.X 0006.f68b.7dc4 8584

If you can't even ping your directly connected gateway, then I would look first into physical connectivity.

And you really should update the software. 7.0(8) is not only old, it's already smelling strange ...

I don't think its a problem related to licensing at all.

Not seeing any ARP behind the new interface is a clear problem.

I would double check that the new public subnet on the new interface is correct. I would also confirm that the gateway IP address is correct. Since if its not then naturally you wont see anything in the ARP.

So the first thing would be to confirm the section between this new interface and the actual ISP gateway for that interface.

- Jouni

Thanks guys.

I have a feeling that the ASA is not connected to the right port on the provider router. That could happen when your provider is in Amsterdam and your remote office is in Sao Paulo and you are managing the turn up from California. Just wanted to make sure no special configuration is needed on the ASA before dispatching another tech.

P.S: Yeah we should upgrade it for sure. It doesn't even support Packet-Trace command :-|

