topic You need to define the remote in Network Security

multiple default route in ASA

moussa.malqui1 — Tue, 12 Mar 2019 08:53:13 GMT

Hi all,

How ca i define multiple default route in ASA?

route tcvpn 0 0 10.240.20.1

route cacvpn 0 0 10.240.30.1

whaen i put the second route i get this route is aleready exisit. what is the solution?

You can do this if you

Rahul Govindan — Sat, 04 Feb 2017 13:43:44 GMT

You can do this if you configure both interfaces as a part of a traffic zone and use ecmp.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#56513

You would have to run Asa version 9.3 and above

I'm not sure what you really

Karsten Iwen — Sat, 04 Feb 2017 16:36:37 GMT

I'm not sure what you really want to achieve, but it's very likely that PBR is the solution.

Check your other post. You

Marius Gunnerud — Sat, 04 Feb 2017 20:47:44 GMT

Check your other post. You need to setup static routes for the remote VPN subnets. If there are many remote subnets I suggest summarizing them.

Although, zoned ECMP would allow you to setup default routes pointing out each interface, the problem you will run into is that traffic will be load-balanced across these interfaces, meaning traffic that is destined for VPN1 might be sent out the wrong interface.

Please remember to select a correct answer and rate helpful posts

thanks Marius but when i

moussa.malqui1 — Sat, 04 Feb 2017 22:50:05 GMT

thanks Marius but when i setup static routes for the subnet i get "error this interface is directly connected"

You need to define the remote

Marius Gunnerud — Sat, 04 Feb 2017 22:57:05 GMT

You need to define the remote network not the network connected to the ASA interface. To be more specific, the network at the remote side of the site to site VPN tunnel.

Please remember to select a correct answer and rate helpful posts

thanks Marius i understand

moussa.malqui1 — Sat, 04 Feb 2017 23:15:04 GMT

thanks Marius i understand what you say . so i think i will put zoned ECMP because i don't have the address ip for site to site VPN i should contact the provider

As mentioned earlier zoned

Marius Gunnerud — Sat, 04 Feb 2017 23:20:20 GMT

As mentioned earlier zoned ECMP will not solve your issue as this will just load-balance the traffic over the interfaces. That means that traffic for one VPN site could be sent out the wrong interface. to solve your problem you MUST get the remote site adresses and enter static routes.

But is the site to site VPN terminated on the ASA or the ISP router?

Please remember to select a correct answer and rate helpful posts

the site to site VPN

moussa.malqui1 — Sat, 04 Feb 2017 23:23:13 GMT

the site to site VPN terminated on the ISP router

thanks Rahul for ur helps,

moussa.malqui1 — Thu, 09 Feb 2017 22:08:06 GMT

thanks Rahul for ur helps,

i should put this 2 route in my asa:

route tcvpn 10.240.1.0 255.255.255.0 10.240.20.1

route cacvpn 10.240.1.0 255.255.255.0 10.240.30.1

but when put the second route i get error this route already exist, what should i do?

regards,

What is the ASA version you

Rahul Govindan — Fri, 10 Feb 2017 03:54:52 GMT

What is the ASA version you have? And are the 2 interfaces part of the same zone? Refer to the article to understand zoned ECMP:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#56513

i have version 9.2, the 2

moussa.malqui1 — Fri, 10 Feb 2017 09:17:56 GMT

i have version 9.2, the 2 interfaces part of different zone my architecture is like that:

Is this two sites with the

Marius Gunnerud — Fri, 10 Feb 2017 09:39:29 GMT

Is this two sites with the same subnet (10.240.1.0/24)? or is it two paths to the same site?

If this is to two different sites then we need to do some NATing on the ASA (or the remote end for that matter). But first lets establish if these are two seperate sites or two paths to the same site.

Please remember to select a correct answer and rate helpful posts

there are two seperate site,

moussa.malqui1 — Fri, 10 Feb 2017 09:47:38 GMT

there are two seperate site, what is the NATing i should do ?

You need to identify what the

Marius Gunnerud — Fri, 10 Feb 2017 10:07:34 GMT

You need to identify what the traffic needs are. Are the remote sites only going to access resources at the main site behind the ASA or will the main site also need to access services at the remote sites?

Depending on the answer to the question above, you will either need to dynamic NAT to one of the site (if just the remote site needs access to main site). If the main site needs access to some resources at the remote site, then you will need to create static one to one NAT for those resources and all other traffic can use a dynamic NAT.

You only need to NAT one of the sites IPs. the second site can use its original IP.

Are these site to site VPNs?

Please remember to select a correct answer and rate helpful posts

in my case the main site only

moussa.malqui1 — Fri, 10 Feb 2017 10:16:21 GMT

in my case the main site only need to access services at the remote sites

(VPN is between two ISP router)

if they are two paths to the

moussa.malqui1 — Fri, 10 Feb 2017 12:02:54 GMT

if they are two paths to the same site the solution is ECMP? that's right?

if the path is to the same

Marius Gunnerud — Fri, 10 Feb 2017 12:08:59 GMT

if the path is to the same site or to the internet then zoned ECMP is the solution.

Now since the main site needs to access services at the remote site you will need to statically NAT those services at one of the sites. then you would access the services at that one site by using the NATed IP.

Please remember to select a correct answer and rate helpful posts

the ECMP Zoned is not

moussa.malqui1 — Fri, 10 Feb 2017 15:10:58 GMT

the ECMP Zoned is not supported in my ASA 9.2

what the nat i should put in my case?

this is my architecture:

thanks Karsten but how can i

moussa.malqui1 — Fri, 10 Feb 2017 18:41:13 GMT

thanks Karsten but how can i define it in my ASA version 9.2?