https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3689807#M13894 <P>Hi All,</P> <P>I found a possible solution to this problem without disabling uRPF check.&nbsp; However, it cannot be used in our case (see below).&nbsp; Still sharing so that this may be useful for anyone having a similar problem.</P> <P>&nbsp;</P> <P>The solution could be to configure a Traffic Zone, say, 'Internet'.&nbsp; Put both ISP interfaces into this zone.&nbsp; It will then allow traffic to enter or leave from any interface within the zone.</P> <P>&nbsp;</P> <P>From ASDM GUI:</P> <P>"You can assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone."</P> <P>&nbsp;</P> <P>However, within the documentation, it warns that .....</P> <P>"Do not configure other services (such as VPN or Botnet Traffic Filter) for interfaces in a traffic zone; they may not function or scale as expected."</P> <P>&nbsp;</P> <P>This in my case will leave this solution useless as we do host VPNs on the interfaces I was planning to put in this zone.&nbsp; I guess with further configuration, a new interface could be configured in this zone and all non-vpn services could be made part of this as all Access Rules, NAT, Service Rules (other than QoS traffic policing), and Routing are supported with zones.</P> <P>&nbsp;</P> <P>Any thoughts from any one?</P> Thu, 16 Aug 2018 15:42:38 GMT magurwara 2018-08-16T15:42:38Z https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3683896#M13888 <P>I am getting deny reverse path check errors when trying to host a TCP service on the firewall that has two ISP links.</P> <P>Trying to host the service on ISP-2 IP range while the default route on the firewall is through ISP-1.</P> <P>Using route-map to route the traffic out through ISP-2 works fine which I thought would be enough for hosting the service as well since the incoming requests should be coming in via ISP-2's link. &nbsp;However, the incoming request to the hosted service fails due to the reverse path check failure.</P> <P>&nbsp;</P> <P>Is there a workaround? Further configurations? Or is there no way to make this work without disabling reverse path check?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:04:26 GMT https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3683896#M13888 magurwara 2020-02-21T16:04:26Z https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3683916#M13891 The command 'no ip verify reverse-path interface IF-NAME' disables uRPF<BR /> Wed, 08 Aug 2018 08:27:33 GMT https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3683916#M13891 Mohammed al Baqari 2018-08-08T08:27:33Z https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3684020#M13892 <P>Thanks Mohammed but disabling reverse path check is what I don't want to do.&nbsp;</P> <P>However, I am wondering whether it is serving a purpose in this scenario.</P> Wed, 08 Aug 2018 11:39:02 GMT https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3684020#M13892 magurwara 2018-08-08T11:39:02Z https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3689807#M13894 <P>Hi All,</P> <P>I found a possible solution to this problem without disabling uRPF check.&nbsp; However, it cannot be used in our case (see below).&nbsp; Still sharing so that this may be useful for anyone having a similar problem.</P> <P>&nbsp;</P> <P>The solution could be to configure a Traffic Zone, say, 'Internet'.&nbsp; Put both ISP interfaces into this zone.&nbsp; It will then allow traffic to enter or leave from any interface within the zone.</P> <P>&nbsp;</P> <P>From ASDM GUI:</P> <P>"You can assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone."</P> <P>&nbsp;</P> <P>However, within the documentation, it warns that .....</P> <P>"Do not configure other services (such as VPN or Botnet Traffic Filter) for interfaces in a traffic zone; they may not function or scale as expected."</P> <P>&nbsp;</P> <P>This in my case will leave this solution useless as we do host VPNs on the interfaces I was planning to put in this zone.&nbsp; I guess with further configuration, a new interface could be configured in this zone and all non-vpn services could be made part of this as all Access Rules, NAT, Service Rules (other than QoS traffic policing), and Routing are supported with zones.</P> <P>&nbsp;</P> <P>Any thoughts from any one?</P> Thu, 16 Aug 2018 15:42:38 GMT https://community.cisco.com/t5/network-security/hosting-a-web-service-with-dual-isp-connections-on-asa/m-p/3689807#M13894 magurwara 2018-08-16T15:42:38Z