Solved: Re: ASA 5510 Multiple ISP routing problem

Attila Erdos · ‎10-31-2018

We have an ASA 5510 with dual ISP. The default route is configured to ISP1, and the inside clients are goes also to ISP1. We have a DMZ interface, there are public servers in it with private IP, the interesting ports are forwarded to them. The public services - hosted by the servers in the DMZ - are reachable from the ISP2's public IPs.

The problem is, that the clients from the inside network can't reach the services in the DMZ with public IP. Logically the traffic should goes like Client -> ASA inside -> ASA outside1 -> ISP1 -> ISP2 -> ASA outside interface 2 -> DMZ. Ok, but the ASA has connected interface to the ISP2's IP range, so maybe the traffic shouldn't go through the ISPs, the ASA should route it from the client to the DMZ server. Should we have NAT rule from the client network directly to the DMZ? The log says that failed to locate egress interface.

Do you have any ideas?

Dennis Mink · ‎10-31-2018

are you doing a no-NAT from the internal interface TO the DMZ interface?

in otherwords, add a NAT statement to NOT nat from int. to external.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Dennis Mink · ‎10-31-2018

are you doing a no-NAT from the internal interface TO the DMZ interface?

in otherwords, add a NAT statement to NOT nat from int. to external.

Please remember to rate useful posts, by clicking on the stars below.

Attila Erdos · ‎11-09-2018

You're right! It was a basic problem, the NAT statement was the problem. Thank you!

mkazam001 · ‎11-03-2018

You could try nat reflection on the ASA to access DMZ servers public IPs directly from the LAN.

Regards,

Azam