Solved: Can the ASA have two default routes?

kope · ‎10-06-2011

Dear experts,

rtr 1 rtr 2

.1 .2

| |

| 10.10.10.0/24 |

| |

ASA_active ASA _standby

My scnenario is this, I have two ASA configured as active/standby and connect to two routers (rtr1, rtr2) on the provider side.

Between them they are on the same subnet as shown here.

Can I configure the ASA with two default routes here?

i.e.

route outside 0.0.0.0 0.0.0.0 10.10.10.1

route outside 0.0.0.0 0.0.0.0 10.10.10.2

Would this work?

Do you see any issue?

thanks

Julio Carvajal · ‎10-27-2011

Hello Kope,

If what you are looking is redundancy SLA monitoring is the right feature for you.

Take a look at the following link, this will show you what to do:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Please mark the question as answered is there is nothing else we can do for you

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

varrao · ‎10-06-2011

No , ASA cannot have 2 default routes, it would always hit the default route with lower metric value. You can although confiure sla monitoring on ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Thanks,

Varun

Thanks,
Varun Rao

rchockeelopez · ‎10-26-2011

Hi Kope,

Yes you can have up to 3 equal cost routes with the same interface in an ASA.

Hope this helps.

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/configuration/guide/ip.html#wp1047894

Good luck!

Julio Carvajal · ‎10-26-2011

Hello Kope,

As Varun said the ASA is going to send the traffic through the interface with the lowest metric value, eventhough the route goes down it is not going to be taken out from the routing table of the ASA so there is nothing much you can do with that, unless you configure SLA monitoring that will let you monitor these default routes and change the entry from the routing table if this one goes down.

Please let me know if these is what you are looking for and I will be more than glad to explain you the SLA monitoring feature in more detail.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rchockeelopez · ‎10-26-2011

Julio,

I think that the objective of Kope is load shared between both ISP links. Based on the Cisco you can have up to 3 equal costs with same destination address, pointing to different gateway but in the same subnet.

Check this out.

The following example shows static routes that are equal cost routes that direct traffic to three different gateways on the outside interface. The security appliance distributes the traffic among the specified gateways.

hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1

hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2

hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/configuration/guide/ip.html#wp1047894

Hope that helps,

Regards,

Julio Carvajal · ‎10-26-2011

Hello rchockeelopez,

Load balancing is not supported on an ASA.

What Kope is looking for is a functionality of router. Therefore for the load balancing stuff, you should have router to handle, while the ASA can be sitting behind the router to do firewall functionality.

Traffic will always be sent on the interface with the lowest metric.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Difan Zhao · ‎10-26-2011

Hey Kope,

Please tell us that you have a switch between the routers and the ASAs... You will be in trouble if you have direct cable connections between the ASAs and routers.

Hey all,

I have the same confusion as rchockeelopez. I just read the 8.3 manual and I found the same thing that you can define up to three default routes and traffic will be "distributed among the specified gateways".

However if it actually works, IT IS NOT A GOOD IDEA. For example when rtr2 fails, you will have about half of your traffic disgarded unless you put on some fancy tracking config.

What I suggest is that you configure GLBP on the routers. Both routers share a virtual IP .254. You configure one default route to point to .254 on your ASA. Sometimes rtr1 is the active for the IP and sometimes rtr2 is active. This way you achieve both redundancy and load balancing.

HTH

Difan

kope · ‎10-27-2011

I was looking for redundancy, not load sharing; and if static (default) routes suffice here.

yes, there is a switch between the routers and the ASAs, so they can be on the same subnet. Looks like I need to configure some sort of ip SLA if i am using default routes. Provided two default routes with equal metric is not allowed; i think i can use two different metric, one higher than the other. Adjust the lowest metric on the link that the ASA is active.

i am not look at load sharing here, since the ASA is running active/standby anyway. I am just concern about redundancy.

actually i think it is more easier to running OSPF or EIGRP between the routers and the ASA, and let the routing protocol takes care of the fail link if it happen.... other option i may have is running HSRP on rtr1 and rtr2, so the ASA can just point one single ip to the ISP.

It is a strange deal, i think i am going to talk to the provider if they can running HSRP on their routers.

thanks all.

Julio Carvajal · ‎10-27-2011

Hello Kope,

If what you are looking is redundancy SLA monitoring is the right feature for you.

Take a look at the following link, this will show you what to do:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Please mark the question as answered is there is nothing else we can do for you

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC