Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
1
Replies

asa with multiple public ip addresses on different interfaces.

markomihaljevic
Level 1
Level 1

‎05-03-2011 06:25 AM - edited ‎03-11-2019 01:28 PM

Dear

            I have a question about  asa and its outgoing multiple ISP traffic management.

I have this situation:

interface Ethernet0/0.259

description ISP2 WAN

vlan 259

nameif outside2

security-level 1

ip address YYY.YYY.YYY.173 255.255.255.240

interface Ethernet0/2

description ISP1 WAN

nameif outside1

security-level 1

ip address XXX.XXX.XXX.238 255.255.255.248

route outside1 0.0.0.0 0.0.0.0 XXX.XXX.XXX.233 1

route outside2 0.0.0.0 0.0.0.0 YYY.YYY.YYY.161 100

global (outside2) 1 interface

global (outside1) 1 XXX.XXX.XXX.235 netmask 255.255.255.255

global (outside1) 2 XXX.XXX.XXX.234 netmask 255.255.255.255

static (inside,outside2) tcp interface www AAA.AAA.AAA.215 www netmask 255.255.255.255

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside1

icmp permit any outside2

access-group ACL_outside1 in interface outside1

access-group ACL_outside2 in interface outside2

access-list ACL_outside2 line 1 extended permit icmp any any log informational interval 300

access-list ACL_outside2line 2 extended permit tcp any host YYY.YYY.YYY.173 eq www log informational interval 300 (hitcnt=1602) 0xc1a22503

Now my question is:

Why if I access from external connection to the outside2 interface using TCP port 80 it is correctly natted to the AAA.AAA.AAA.215 and everything is working well , and if I try to ping the interface nothing is coming back?

And if I debug ICMP I see the requests and answers but nothing gets back.

Now I suppose that the problem is  handling multiple gateway, but if this is true also nat should be not work ..

Please help me or otherwise my brain will blow up….

Thanks you very match, and thanks you for wasting time with my post.

Best Regards.

Marko Mihaljevic

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-03-2011 10:13 AM

Hi Marko,

You are totally right. Only traffic to the outside1 (which is the one who has the default gateway with the lowest metric) should be receiving the traffic without issues. Otherwise, it will cause asymmetric routing (As you are seeing with the ping) and the traffic should be dropped.

For this matter, please take a capture on port 80 for that port forwarding and send us the show route, just want to make sure that you dont have sla monitoring and it is bounce to the outside2.

Cheers.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card