topic ASA static map, outbound flows through global address in Network Security

ASA static map, outbound flows through global address

mkipness1 — Mon, 11 Mar 2019 21:57:43 GMT

I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?

Here are what I believe to be the relevant configs. If someone can tell me what I've got wrong, I would surely appreciate it.

interface Ethernet0/0

description New 6mb circuit

speed 100

nameif outside

security-level 0

ip address circuit-6mb 255.255.255.248

interface Ethernet0/1

description LAN interface

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Ethernet0/2

description 3mb circuit

nameif mpls

security-level 0

ip address circuit-3mb 255.255.255.224

global (outside) 1 interface

global (mpls) 2 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,mpls) exchange2-outside exchange2-inside netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 xxx.122.47.217 5

route mpls 0.0.0.0 0.0.0.0 xxx.207.51.225 6

So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.

Thanks in advance,

Max Kipness

ASA static map, outbound flows through global address

varrao — Thu, 01 Dec 2011 10:43:58 GMT

Hi Max,

what you are seeing is an expected behavior on the ASA, since ASA can only have one default route on it. The first one would always be hit first on the firewall. This particulart setup might not be possible on the ASA, since on ASA we cannot do source based routing, so everytine the request from server comes in, it would be sent out of the first route that you have.

Hope that helps,

Thanks,

Varun

ASA static map, outbound flows through global address

mkipness1 — Thu, 01 Dec 2011 14:49:01 GMT

Varun,

Thanks for the response.

So you are saying that static mapping doesn't link the internal server inbound and outbound to a specific IP? I thought that was the purpose in a static. This would mean that having the extra circuit on the ASA is almost a waste except for inbound. Do you have any other suggestions?

Thanks,

Max