Re: How to enable two default static route on ASA firewall

Erwin Buena · ‎07-05-2012

Team: Need your advice regarding the issue that i have with my ASA firewall wherein i'm planning to connect our internet directly to the firewall that I'm managing. I got this error "?ERROR: Cannot add route entry, conflict with existing routes? when i'm adding the default static routes towards the internet. Other options that I think of is modifying the administrative distance for the internet but it will impact the routing process. Any recommendation?

interface Ethernet0/0

nameif core

security-level 100

ip address 10.200.160.217 255.255.255.0

!

interface Ethernet0/1

speed 100

duplex full

nameif internet

security-level 0

ip address 134.213.160.42 255.255.255.252

!

global (internet) 2 interface

nat (internet) 2 0.0.0.0 0.0.0.0

!

route core 0.0.0.0 0.0.0.0 10.200.160.2 - existing route towards LAN Core network

route internet 0.0.0.0 0.0.0.0 134.213.160.41 1 -> got problem adding this route and gives me this error ?ERROR: Cannot add route entry, conflict with existing routes?

thanks,

Erwin

Jennifer Halim · ‎07-05-2012

You cannot configure 2 default routes pointing to 2 different interfaces on the ASA. That is not a supported configuration.

You can configure static route for your internal subnets pointing towards core.

gouravbathla · ‎07-06-2012

Please provide output of show route command.

mterlikcisco · ‎07-22-2012

#1 route core 0.0.0.0 0.0.0.0 10.200.160.2

#2 route Internet 0.0.0.0 0.0.0.0 134.213.160.41

Doing static route to 0.0.0.0 0.0.0.0 means send all traffic to all dest. through that gateway - here the router will ask "What? Should I use #1 or #2"

Router (you firewall) will not know where should send data because route #1 and #2 will say "hey I am gateway to that address, I have all address on interface 10.200.160.2 and 134.213.160.41" so it will not work.

If you want to do that you should specify the destination address.

If for example your network in core has address 192.168.0.0/24 you could do something like

#1 route core 192.168.0.0 255.255.255.0 10.200.160.2 -> means I am gateway to the 192.168.0.0/24 network

#2 route Internet 0.0.0.0 0.0.0.0 134.213.160.41 -> if dest address in the package is other than 192.168.0.0/24 - send it through the gateway 134.213.160.41

If you have more networks in your core you can add more static routings or use OSPF or EIGRP protocols between your ASA and core device.

If you explain more how you want to send data or add some diagram, it will help to answer your question.

nkarthikeyan · ‎07-23-2012

Hi,

You can add a default route for the internet like the below.

route internet 0.0.0.0 0.0.0.0 134.213.160.41

If the interface core is the inside LAN then the below route is not required. If you have multiple LAN subnets which needs to be routed the you can mention the static routes as such for each subnets.

route core 10.200.160.0 255.255.255.0 10.200.160.2

Please do rate if the given information helps.

By

Karthik

kbyrd · ‎07-08-2013

I have a similar problem to which I hope there is a good workaround.

I have a single ASA5515X FO pair. I want to use Gig0/0 to terminate one ISP and Gig0/1 to terminate another ISP. Gig0/0 is used for web surfing and RA VPN. Gig0/1 is used for L2L VPN tunnels - of which only one remote endpoint has a static IP address. All other L2L endpoints have dynamic IPs assigned by the ISP. All of the remote L2L endpoints initate the VPN connection to the ASA5515X....the ASA does not initate a connection to the remote endpoints.

Prior to the single ASA5515X FO pair, I had two FW - a PIX506e and a ASA5505 - one doing web surfing and RA VPN and the other as L2L VPN. We wanted to consolidate and have FO that we did not have before.

Right now, I have the 0.0.0.0 route pointing upstream to the ISP on Gig0/0. Web surfing and RA VPN working fine.

For the L2L VPN on Gig0/1, is there a way to route traffic received on that interface used for L2L VPN back out of that same interface? Some sort of policy route?

ASA version is 9.1.1.

Thanks.