topic Re: ASA 5510 Multiple ISP routing problem in Network Security

ASA 5510 Multiple ISP routing problem

Attila Erdos — Fri, 21 Feb 2020 16:25:26 GMT

We have an ASA 5510 with dual ISP. The default route is configured to ISP1, and the inside clients are goes also to ISP1. We have a DMZ interface, there are public servers in it with private IP, the interesting ports are forwarded to them. The public services - hosted by the servers in the DMZ - are reachable from the ISP2's public IPs.

The problem is, that the clients from the inside network can't reach the services in the DMZ with public IP. Logically the traffic should goes like Client -> ASA inside -> ASA outside1 -> ISP1 -> ISP2 -> ASA outside interface 2 -> DMZ. Ok, but the ASA has connected interface to the ISP2's IP range, so maybe the traffic shouldn't go through the ISPs, the ASA should route it from the client to the DMZ server. Should we have NAT rule from the client network directly to the DMZ? The log says that failed to locate egress interface.

Do you have any ideas?

Re: ASA 5510 Multiple ISP routing problem

Dennis Mink — Thu, 01 Nov 2018 02:09:20 GMT

are you doing a no-NAT from the internal interface TO the DMZ interface?

in otherwords, add a NAT statement to NOT nat from int. to external.

Re: ASA 5510 Multiple ISP routing problem

mkazam001 — Sat, 03 Nov 2018 20:05:51 GMT

You could try nat reflection on the ASA to access DMZ servers public IPs directly from the LAN.

Regards,

Azam

Re: ASA 5510 Multiple ISP routing problem

Attila Erdos — Fri, 09 Nov 2018 14:32:34 GMT

You're right! It was a basic problem, the NAT statement was the problem. Thank you!