09-05-2013 04:30 AM - edited 03-11-2019 07:34 PM
Good day!
In my possession Cisco ASA 5515 and three interfaces:
LAN 10.1.1.1 (network 10.1.1.0/24)
WAN1 1.1.1.130 (network 1.1.1.128/26)
WAN2 1.1.2.5 (network 1.1.2.0/24)
Now the traffic goes through WAN1 - all web-application in NAT address pool 1.1.1.128/26; necessary - to make them available on the network 1.1.2.0/24
The problem is solved so - add default route will on the other metrics and do simultaneous NAT:
route WAN1 0.0.0.0 0.0.0.0 1.1.1.129 1
route WAN2 0.0.0.0 0.0.0.0 1.1.2.1 2
nat (LAN,WAN1) source static web_10.1.1.185 web_1.1.1.160
nat (LAN,WAN2) source static web_10.1.1.185 web_1.1.2.160
It works - the application is available in two external addresses - 1.1.1.160 and 1.1.2.160
But remained nuance, try to ping the interfaces ASA:
$ ping 1.1.1.130
PING 1.1.1.130 (1.1.1.130): 56 data bytes
64 bytes from 1.1.1.130: icmp_seq=0 ttl=246 time=2.426 ms
64 bytes from 1.1.1.130: icmp_seq=1 ttl=246 time=2.284 ms
64 bytes from 1.1.1.130: icmp_seq=2 ttl=246 time=2.303 ms
64 bytes from 1.1.1.130: icmp_seq=3 ttl=246 time=2.239 ms
64 bytes from 1.1.1.130: icmp_seq=4 ttl=246 time=2.679 ms
^C
--- 1.1.1.130 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.239/2.386/2.679/0.159 ms
$ ping 1.1.2.5
PING 1.1.2.5 (1.1.2.5): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 1.1.2.5 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Why not ping IP on WAN2 interface? The logs of routing error:
Sep 4 12:39:42 asa0 %ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.137/50360 gaddr 1.1.2.5/0 laddr 1.1.2.5/0
Sep 4 12:39:42 asa0 %ASA-6-110003: Routing failed to locate next hop for icmp from AS:1.1.2.5/0 to AS:1.2.3.137/0
Any ideas?
09-05-2013 04:42 AM
You cannot ping the ASA 'other sides' interface from the inside. You should be able to ping the address from an outside connection though.
HTH,
John
*** Please rate all useful posts ***
09-05-2013 04:47 AM
John, I do any ping from outside.
09-05-2013 04:52 AM
I don't understand. Are you saying that you CAN ping the outside address from outside of the network?
HTH,
John
*** Please rate all useful posts ***
09-05-2013 04:57 AM
John, I ping 1.1.1.130 and 1.1.2.1 from outside network, for exaple from host 1.2.3.137
09-05-2013 04:56 AM
Hi,
What John means is you can't ping WAN2 coming from WAN1 or inversely but I don't think this is the problem.
your route out WAN2 is a floating route with AD of 2 so unless first route fails this one won't be installed so you've got no route back from this interface.
Regards
Alain
Don't forget to rate helpful posts.
09-05-2013 05:04 AM
Can I do that both were available IP interface from outside the network? It is necessary for IPSec connections as WAN1 through and through WAN2 from external hosts.
09-05-2013 05:13 AM
HI,
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1179983
You can't have 2 equal cost path through 2 different interfaces so configuring the second route with an AD of 1 should give you an error according to this doc.
Regards
Alain
Don't forget to rate helpful posts.
09-05-2013 12:48 PM
If you issue the show route command you will see that there is no route to the 1.1.2.0/24 network. However if you shutdown the interface that goes to ISP1 you should be able to ping 1.1.2.5 as this route will now be placed into the routing table.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide