10-21-2020 12:34 AM
Here is what I am trying to do.
Outside-1 1.1.1.1/28
Outside-2 2.2.2.2/30
Additional IP's routed to Outside-2 2.2.20.0/29
Inside 172.16.22.0/24
Host-A 172.16.22.50
nat (inside,Outside-1) dynamic Host-A 1.1.1.5
nat (inside,Outside-2) dynamic HOST-A 2.2.20.5
Default route is via Outside-1
If i telnet to 2.2.20.5 I can see traffic arriving on the Outside-2 interface and is natted to Host-A (172.16.22.50)
I can also see this traffic going through the Inside interface.
BUT the returning traffic is destined for Outside-1 Interface
I think I need a twice nat rule but I can't find an example that suits this scenario.
How can I achieve this ?
Solved! Go to Solution.
10-25-2020 03:30 PM
We added a second default route to Outside-2 which resolved the problem.
An established connection on ASA does NOT work the same as on IPTables on Linux.
The sh asp drop indicated no route to host.
This has solved the problem
10-21-2020 01:28 AM - edited 10-21-2020 01:34 AM
Depending on the ASA version you are running, you can configure the two outside interfaces to be in the same traffic zone. This will allow traffic from an existing flow to enter or exit any interface that is within the same flow.
config terminal
zone outside
interface Gig0/1
nameif outside-1
security-level 0
ip address 1.1.1.1 255.255.240
zone-member outside
interface Gig0/2
nameif outside-2
security-level 0
ip address 2.2.2.2 255.255.255.252
zone-member outside
If you are looking to force the traffic back out outside-2 interface then you would need to either use policy based routing (PBR) or twice nat. I would suggest using PBR.
10-21-2020 01:52 AM
I have PBR defined on Inside interface.
If I telent from HOST-A it is working and going out Outside-2 and telnet successfully establishes session.
But if I telnet into 2.2.20.5 which is a routed address through Outside-2 return traffic is still using the default route via Outside-1
I thought an Established connection would route back out the int interface it came in on ?
Any thoughts ?
10-22-2020 12:56 AM
it would seem that you are hitting the default route. How have you configured the PBR? Could you post the configuration?
10-22-2020 03:21 AM
I think what happens here is that the return traffic hits the first NAT rule so it goes out of the Outside-1 interface. If you try to flip the order of those NAT rules, it might work. However, it would stop working for the incoming traffic through Outside-1. To fix this, I think you would need a twice NAT rule, or as Marius mentioned through PBR.
10-25-2020 03:28 PM
.
10-25-2020 03:30 PM
We added a second default route to Outside-2 which resolved the problem.
An established connection on ASA does NOT work the same as on IPTables on Linux.
The sh asp drop indicated no route to host.
This has solved the problem
10-25-2020 04:48 PM
As far as I know, the ASA won't allow you to add another default route out of multiple interfaces. You mean a specific route to the destinations that would come through the Outside-2 interface?
10-25-2020 07:22 PM
I now have the following routes;
route Outside-1 0.0.0.0 0.0.0.0 1.1.1.2 1
route Outside-2 0.0.0.0 0.0.0.0 2.2.2.1 2
After adding the second route traffic initiating from Outside-2 was processed successfully and the response received.
10-25-2020 08:27 PM
The second default route was added with a higher AD (2). This means that this additional route will not take effect as long as the one out of Outside-1 is active. You can verify shat by issuing the command show route. So, I am wondering how that could fix the issue!.
10-25-2020 09:02 PM
Without the second route asp drop showed packets dropped due to no route.
Also testing with telnet would fail as previously advised from the captures.
After adding the route telnet was successful, packet capture on the Outside-2 interface shows the return traffic previously missing.
All connection in and out of Outside-1 are still working correctly.
It did solve my problem and has had no issues ... yet ":-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide