Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

multiple connection asa

I need to connect 1 interface to mpls not nat-ed (Vlan2) and 1 connection to internet nat-ed (Vlan3).  So all traffic out vlan 3 except for private network over mpls.


ASA Version 9.0(3)
hostname X.X.X.X
domain-name X.X.X.X
enable password XXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd X.X.X.X XXXXXXXXXX encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan3
 nameif internet
 security-level 0
 ip address
interface Vlan5
 nameif dmz
 security-level 50
 ip address dhcp
boot system disk0:/asa903-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name XXXXXX
object network obj_any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu internet 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,internet) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.X inside
http outside
http outside
http internet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh X.X.X.X inside
ssh outside
ssh internet
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password XXXXXXX/ encrypted
prompt hostname context
no call-home reporting anonymous
: end

Everyone's tags (1)
Super Bronze

Hi, I think you might need to



I think you might need to clarify the situation a bit.


From what I understood you are saying that you have the basic internal and external interfaces on the ASA and also a link to a MPLS network where possinly some remote sites are located?


I am not sure what you are asking of us though? I do see that you have only configured a default route on the ASA. Naturally if there are some remote sites between one of the interfaces you should have static routes configured for those networks pointing to the correct interface and correct gateway IP address.


For traffic between your LAN and MPLS networks will go without NAT by default so you dont have to worry about that.


If your MPLS networks require NAT towards the External networks then you can do a similiar NAT configuration for it like you have for your LAN at the moment.


Your current interface naming is kinda confusing. It seems that the "outside" holds the default route while the "internet" does not have any routes.


So as I said can you please clarify your requirements for the setup.


- Jouni



New Member

I tried doing the route

I tried doing the route statments but when I do I lose connectivity to the firewall.

Super Bronze

Hi, I am not sure what



I am not sure what changes you made so I can't really say anything. If you changed the default route to point somewhere else then that is probably the reason why you lost connectivity to the firewall.


We would really need to know exactly what you are attempting to do and what the interfaces are used for. You have interfaces "outside" and "internet" which both to me hint about an interface directly connected to the Internet.


If the other interface has a connection to some remote networks then that interface needs routes for specific networks only. The interface which is supposed to be used for Internet traffic needs to have the default route.


- Jouni


New Member

Ok lets see if this helps,

Ok lets see if this helps, the ASA was the connection from a remote site through an MPLS connection back to the DataCenter.  The MPLS connection was not fast enough to handle internal traffic plus internet traffic, so they installed a circuit for internet.  The outside connection is for the MPLS traffic to the DC, the Internet connection is for internet only, so I need internal LAN traffic go across the outside interface and all other traffic go across the internet interface.  I did a route outside 0 0 and route for to go to the outside interface but when I do that I can't connect back to the ASA.  

New Member

Was able to get this fixed.

Was able to get this fixed.  I changed the quad 0 route to route to vlan3.  Remoted to a pc on the local LAN and was able to make the change.

CreatePlease to create content