Unexpected Firewall behavior

ksarin123_2 · ‎03-22-2011

Hello folks -

As depicted in the picture, I have a Cisco ASA firewall with one interface connected to one ISP router (R1) and another interface connected to another ISP Router (R2). R1 is used for all incoming FTP traffic and R2 is used for all incoming Web traffic. All incoming traffic is coming over the Internet. In addition, the two servers in the DMZ (R1 & R2) need access to the Internet as well for Windows Updates, NTP synchronization etc.

I wrote a static route on my firewall as follows:

route outside_FTP 0.0.0.0 0.0.0.0 "R1 IP ADDRESS"

By doing so, all incoming FTP connections from the Internet were fine. Both the servers internally could also get to the Internet without any issues. However, all users connecting to the Web Server over the Internet were seeing a message "page cannot be displayed". I was able to fix this issue by doing the following:

route outside_WEB 0.0.0.0 0.0.0.0 "R2 IP ADDRESS" 10

So my question is, why did I need to write a secondary route on my firewall, when that route has a lower preference (higher AD) than the default route? In theory, this route should never really be used because the default route should always be preferred.

I asked Cisco TAC, and they were scratching their head too.

Any ideas??

Thank you!

PAUL GILBERT ARIAS · ‎03-22-2011

all I can think is that the message that the users were getting about "the page can't be displayed" was because the traffic was coming from one interface and the replies were leaving another interface (asymmetric routing) due to the fact that you had only one default gateway.

It is a very strange behavior as you said since your ASA should only be showing one default gateway even with the second gateway you added.

first time I hear about something similar.