https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678500#M1093046 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1034099">@Asfandyar70754</a> if you want to use both ISP circuits, then you can use IP SLA to track the primary ISP and failover to the secondary if required - example <A href="https://integratingit.wordpress.com/2019/11/24/asa-dual-isp-using-ip-sla/" target="_self">here</A>. Or use Policy Based Routing (PBR) - example <A href="https://integratingit.wordpress.com/2020/03/01/asa-policy-based-routing/" target="_self">here</A>.</P> Tue, 30 Aug 2022 07:18:16 GMT Rob Ingram 2022-08-30T07:18:16Z https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678100#M1093043 <P>Hey guys,</P> <P>So I am a bit new on ASA and was doing a basic lab, topology attached. I have vlan 10 &amp; 20 in my inside network.&nbsp;</P> <P>Following are the routes that I have configured on ASA, CoreSW &amp; ISP-RTR</P> <P>Core SW route:&nbsp; ip route 0.0.0.0 0.0.0.0 30.0.0.2</P> <P>ASA routes:&nbsp;</P> <P>route outside 0.0.0.0 0.0.0.0 40.0.0.2 1</P> <P>route inside 10.0.0.0 255.0.0.0 30.0.0.1 1</P> <P>route inside 20.0.0.0 255.0.0.0 30.0.0.1 1</P> <P>&nbsp;</P> <P>ISP-RTR route:&nbsp;</P> <P>ip route 0.0.0.0 0.0.0.0 40.0.0.1</P> <P>Now I am not able to ping from my internal network to ISP-RTR's IP or it Loopback IP.</P> <P>What am I missing in m config?</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 29 Aug 2022 13:16:00 GMT https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678100#M1093043 Asfandyar70754 2022-08-29T13:16:00Z https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678107#M1093044 <P>You need ICMP inspection&nbsp;</P><P><A href="https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/" target="_blank">https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/</A></P><P>&nbsp;</P> Mon, 29 Aug 2022 13:26:38 GMT https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678107#M1093044 MHM Cisco World 2022-08-29T13:26:38Z https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678473#M1093045 <P>Thank you for your response.</P> <P>I also need to know incase there are 2 ISPs then can I use default routes for both ISPs.</P> <P><SPAN>route outside 0.0.0.0 0.0.0.0 50.0.0.2 2(Making it a backup route using administrative distance 2)</SPAN></P> Tue, 30 Aug 2022 06:04:23 GMT https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678473#M1093045 Asfandyar70754 2022-08-30T06:04:23Z https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678500#M1093046 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1034099">@Asfandyar70754</a> if you want to use both ISP circuits, then you can use IP SLA to track the primary ISP and failover to the secondary if required - example <A href="https://integratingit.wordpress.com/2019/11/24/asa-dual-isp-using-ip-sla/" target="_self">here</A>. Or use Policy Based Routing (PBR) - example <A href="https://integratingit.wordpress.com/2020/03/01/asa-policy-based-routing/" target="_self">here</A>.</P> Tue, 30 Aug 2022 07:18:16 GMT https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678500#M1093046 Rob Ingram 2022-08-30T07:18:16Z https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678501#M1093047 <P>Hello<BR />By default traffic from an asa outside interface (lower security level) isn’t allowed into the fw ( as such icmp reply’s will denied)<BR />You could allow this two ways:&nbsp;<BR /><BR /><U>Access-list</U><BR /><EM>access-list x extended permit icmp any any echo-reply&nbsp;</EM><BR /><EM>access-group x in interface outside<BR /><BR /></EM><U>Service-policy inspection</U><BR /><EM>policy-map global-policy</EM><BR /><EM>class insection_default</EM><BR /><EM>inspect icmp</EM><BR /><EM>inspect icmp-error &lt; hides internal addresing via traceroute</EM><BR /><EM>exit<BR /><BR />Lastly:<BR /></EM><U>allow traffic between interfaces--- intervlan routing</U><EM style="font-family: inherit;"><BR /><EM>same-security-traffic permit inter-interface&nbsp;</EM><BR /></EM></P> <P><EM><U>Allow traffic in/out same interface</U><BR /><EM style="font-family: inherit;">same-security-traffic</EM> permit intra-interface&nbsp;</EM></P> Tue, 30 Aug 2022 07:20:26 GMT https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678501#M1093047 paul driver 2022-08-30T07:20:26Z https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678530#M1093049 <P>Use "fixup protocol icmp" to start to inspect ICMP protocol</P> Tue, 30 Aug 2022 08:29:18 GMT https://community.cisco.com/t5/network-security/routing-in-asa/m-p/4678530#M1093049 Khaled Douma 2022-08-30T08:29:18Z