topic ASA: two WAN interface, problem with routing in Network Security

ASA: two WAN interface, problem with routing

Yuri Kazankin — Tue, 12 Mar 2019 02:34:21 GMT

Good day!

In my possession Cisco ASA 5515 and three interfaces:

LAN 10.1.1.1 (network 10.1.1.0/24)

WAN1 1.1.1.130 (network 1.1.1.128/26)

WAN2 1.1.2.5 (network 1.1.2.0/24)

Now the traffic goes through WAN1 - all web-application in NAT address pool 1.1.1.128/26; necessary - to make them available on the network 1.1.2.0/24

The problem is solved so - add default route will on the other metrics and do simultaneous NAT:

route WAN1 0.0.0.0 0.0.0.0 1.1.1.129 1
route WAN2 0.0.0.0 0.0.0.0 1.1.2.1 2
nat (LAN,WAN1) source static web_10.1.1.185 web_1.1.1.160
nat (LAN,WAN2) source static web_10.1.1.185 web_1.1.2.160

It works - the application is available in two external addresses - 1.1.1.160 and 1.1.2.160

But remained nuance, try to ping the interfaces ASA:

$ ping 1.1.1.130
PING 1.1.1.130 (1.1.1.130): 56 data bytes
64 bytes from 1.1.1.130: icmp_seq=0 ttl=246 time=2.426 ms
64 bytes from 1.1.1.130: icmp_seq=1 ttl=246 time=2.284 ms
64 bytes from 1.1.1.130: icmp_seq=2 ttl=246 time=2.303 ms
64 bytes from 1.1.1.130: icmp_seq=3 ttl=246 time=2.239 ms
64 bytes from 1.1.1.130: icmp_seq=4 ttl=246 time=2.679 ms
^C
--- 1.1.1.130 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.239/2.386/2.679/0.159 ms
$ ping 1.1.2.5
PING 1.1.2.5 (1.1.2.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 1.1.2.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

Why not ping IP on WAN2 interface? The logs of routing error:

Sep 4 12:39:42 asa0 %ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.137/50360 gaddr 1.1.2.5/0 laddr 1.1.2.5/0

Sep 4 12:39:42 asa0 %ASA-6-110003: Routing failed to locate next hop for icmp from AS:1.1.2.5/0 to AS:1.2.3.137/0

Any ideas?

ASA: two WAN interface, problem with routing

John Blakley — Thu, 05 Sep 2013 11:42:55 GMT

You cannot ping the ASA 'other sides' interface from the inside. You should be able to ping the address from an outside connection though.

HTH,
John

*** Please rate all useful posts ***

ASA: two WAN interface, problem with routing

Yuri Kazankin — Thu, 05 Sep 2013 11:47:04 GMT

John, I do any ping from outside.

ASA: two WAN interface, problem with routing

John Blakley — Thu, 05 Sep 2013 11:52:01 GMT

I don't understand. Are you saying that you CAN ping the outside address from outside of the network?

HTH,
John

*** Please rate all useful posts ***

ASA: two WAN interface, problem with routing

cadet alain — Thu, 05 Sep 2013 11:56:30 GMT

Hi,

What John means is you can't ping WAN2 coming from WAN1 or inversely but I don't think this is the problem.

your route out WAN2 is a floating route with AD of 2 so unless first route fails this one won't be installed so you've got no route back from this interface.

Regards

Alain

Don't forget to rate helpful posts.

ASA: two WAN interface, problem with routing

Yuri Kazankin — Thu, 05 Sep 2013 11:57:19 GMT

John, I ping 1.1.1.130 and 1.1.2.1 from outside network, for exaple from host 1.2.3.137

ASA: two WAN interface, problem with routing

Yuri Kazankin — Thu, 05 Sep 2013 12:04:28 GMT

Can I do that both were available IP interface from outside the network? It is necessary for IPSec connections as WAN1 through and through WAN2 from external hosts.

ASA: two WAN interface, problem with routing

cadet alain — Thu, 05 Sep 2013 12:13:26 GMT

HI,

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1179983

You can't have 2 equal cost path through 2 different interfaces so configuring the second route with an AD of 1 should give you an error according to this doc.

Regards

Alain

Don't forget to rate helpful posts.

ASA: two WAN interface, problem with routing

Marius Gunnerud — Thu, 05 Sep 2013 19:48:07 GMT

If you issue the show route command you will see that there is no route to the 1.1.2.0/24 network. However if you shutdown the interface that goes to ISP1 you should be able to ping 1.1.2.5 as this route will now be placed into the routing table.