Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing between interfaces on ASA

Hi,

I have an ASA with three interfaces: inside, outside and otherlan. On altralan there's an EhternetDevice that must be reached from inside, but not from outside.

The relevant part of configuration is:

name A.B.C.D EthernetDevice

!

interface Vlan1

nameif inside

security-level 100

ip address X.Y.Z.T 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address IP-PUBBLICO NETMASK

!

interface Vlan3

nameif otherlan

security-level 50

ip address A.B.C.E 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 3

!

[...]

access-list otherlan_access_in extended permit ip host EthernetDevice X.Y.Z.0 255.255.255.0

access-list inside_access_list extended permit ip X.Y.Z.0 255.255.255.0 host EthernetDevice

global (outside) 1 interface

global (otherlan) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,otherlan) EthernetDevice EthernetDevice netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group otherlan_access_in in interface otherlan

route outside 0.0.0.0 0.0.0.0 X.Y.Z.T 1

EthernetDevice has an embedded HTTP server, which is working, i.e. from a pc on otherlan it's reachable, and it has A.B.C.E as default gateway.

The problem is that I can't reach it from a pc on inside lan, and on ASA log I have the following error:

portmap translation creation failed for tcp src inside:X.Y.Z.P/2461 dst altralan:EthernetDevice/80

I've also tried to use:

global (otherlan) 2 X.Y.Z.4-X.Y.Z.10 netmask 255.255.255.0

and try to reach from a PC whose IP is in the pool, but no luck too.

What is wrong / haven't I understood ?

Thanks in advance

Ciao

2 REPLIES
Bronze

Re: Routing between interfaces on ASA

Hi,

I think this static is wrong..

static (inside,otherlan) EthernetDevice EthernetDevice netmask 255.255.255.255

It should be

static (inside,otherlan) X.Y.Z.T X.Y.Z.T netmask 255.255.255.0

HTH

New Member

Re: Routing between interfaces on ASA

This is a limitation of the ASA. You can not have 2 active routes to the outside. You can have a primary link to the outside and a backup link that monitors the interface for an outage.

106
Views
0
Helpful
2
Replies
CreatePlease login to create content