Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
2
Replies

ASA 5520 Routing Question

Muhammadarshad.sheikh
Level 1
Level 1

‎09-02-2016 07:02 AM - edited ‎03-12-2019 01:13 AM

Hello All,

I am running in firewall routing issue; Please help me if you can.

I have cisco 5520 ASA configured with sub-interfaces on inbound and outbound interfaces. default route is set to 0.0.0.0 forward to a reachable ip address.

configuration:-

interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
vlan 203
nameif vlan203
security-level 0
ip address 64.130.161.201 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 212
nameif vlan212
security-level 0
ip address 62.182.163.227 255.255.255.0
!
interface GigabitEthernet0/1.30
vlan 214
nameif vlan214
security-level 0
ip address 73.24.73.220 255.255.255.0
!
interface GigabitEthernet0/1.40
vlan 211
nameif vlan211
security-level 0
ip address 69.215.224.220 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 65.181.164.7 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.2
vlan 2
nameif vlan2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3.3
vlan 3
nameif vlan3
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3.4
vlan 4
nameif vlan4
security-level 100
ip address 192.168.4.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 65.181.164.1 1

Public server is created for each web application to allow traffic for port 80. problem if the packet is coming from public vlan212 it reaches the destination in private vlan 2 but the browser doesn't show the page with the above config however if i change the default route to "route vlan212 0.0.0.0 0.0.0.0 62.182.163.221 1 the web page loads now

but this route change to vlan212 configuration won't allow traffic coming in from vlan 203/vlan214/vlan211 going to respective private vlan ip. but when i change the default route to respective vlan it works only for that public network. and this comes up in the logs.

Is it possible to allow routing of traffic going back to internet users make it work in this scenario. 


%ASA-6-110003: Routing failed to locate next-hop for protocol from src
interface:src IP/src port to dest interface:dest IP/dest port

I would really appreciate if you can help me with this situation.

Thanks

AS

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-02-2016 08:26 PM

You can't do that with a 5520.

What you want to do would require using the policy-based routing (PBR) feature which was only added last year with ASA software 9.4(1).

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The 5520 and related older series of hardware was end of sales in 2013 and only support software through the 9.1(x) releases. Only bug fixes and security vulnerabilities are being released for those platforms' software.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727279.html

https://software.cisco.com/download/release.html?mdfid=279916878&flowid=4374&softwareid=280775065&release=9.1.7%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

0 Helpful

Edwin Matos
Level 1
Level 1

‎09-03-2016 12:14 PM

If you are using static nat for the server you could use dns doctoring and move the traffic internally without using the traffic leaving to the internet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card