cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

787
Views
0
Helpful
3
Replies
Attila Erdos
Beginner

ASA 5510 Multiple ISP routing problem

We have an ASA 5510 with dual ISP. The default route is configured to ISP1, and the inside clients are goes also to ISP1. We have a DMZ interface, there are public servers in it with private IP, the interesting ports are forwarded to them. The public services - hosted by the servers in the DMZ - are reachable from the ISP2's public IPs.

The problem is, that the clients from the inside network can't reach the services in the DMZ with public IP. Logically the traffic should goes like Client -> ASA inside -> ASA outside1 -> ISP1 -> ISP2 -> ASA outside interface 2 -> DMZ. Ok, but the ASA has connected interface to the ISP2's IP range, so maybe the traffic shouldn't go through the ISPs, the ASA should route it from the client to the DMZ server. Should we have NAT rule from the client network directly to the DMZ? The log says that failed to locate egress interface.

Do you have any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Dennis Mink
Advisor

are you doing a no-NAT from the internal interface TO the DMZ interface?

 

in otherwords, add a NAT statement to NOT nat from int. to external.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

3 REPLIES 3
Dennis Mink
Advisor

are you doing a no-NAT from the internal interface TO the DMZ interface?

 

in otherwords, add a NAT statement to NOT nat from int. to external.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

You're right! It was a basic problem, the NAT statement was the problem. Thank you!

mkazam001
Participant

You could try nat reflection on the ASA to access DMZ servers public IPs directly from the LAN.

Regards,

Azam

Content for Community-Ad