CISCO ASA 5510

rajeshcv49 · ‎09-29-2015

Hi All,

I have connected to same ISP with two links from asa 5510 firewall

I have got the 2, /29 subnet from the ISP (10.10.10.216 gateway 10.10.10.217) and (10.10.10.224 gateway is 10.10.10.225),

Scenario is i have mapped 4 private ip address to 4 public ip address from first /29 subnet, And i Mapped other 4 private ip address to public ip addrress from second /29 subnet, But only 4 address i am able to access from outside network, which mapped from first /29network, Other public address i am not able to access from outside network, which i mapped second /29 network address.

I have configure the asa firewall as show in below,

interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.220 255.255.255.248

!

interface Ethernet0/2
nameif outside1
security-level 0
ip address 10.10.10.228 255.255.255.248

!

I configured one default route towords gateway 10.10.10.217, I am trying to add the second default route i am getting the error like,

(config)# route outside1 0 0 10.10.10.225
ERROR: Cannot add route entry, conflict with existing routes.

Please help me to fix the issue.

Rishabh Seth · ‎09-29-2015

Hi,
I think the traffic via outside1 interface is failing because the route lookup for reverse traffic would still be pointing out via outside interface.

A possible workaround that I can think of is the use of dynamic PAT on the upstream device to which ASA is connected.

Try changing the source IP of the traffic destined for outside1 to the IP address of the interface to which outside1 is connected on upstream device.

This change would not affect traffic via outside interface. But the reverse route lookup for the traffic via outside1 will be done using connected route of outside1 interface.

You will need to change your acl accordingly.

Let us know if this helps in achieving your network requirement.
Thanks,
R.Seth

rajeshcv49 · ‎09-30-2015

Hi Risseth,

ASA outside and outside1 both interface directly connected to ISP router, i guess we can touch the ISP devices. Is there any other option to fix this issue.

Thanks,

Rajesh

Rishabh Seth · ‎09-30-2015

Hi Rakesh,

I understand that both interfaces are connected to the same ISP router and they are part of different subnet.

But if you can configure NAT on that device then it should resolve your problem.

Another feature thatyou can use is ZONES on ASA. This feature is available on newer codes. It will help in tackling asymmetric routing. You can check if it is available on your ASA or the image which has "zone" feature, is available for your ASA.

Also share the ASA version that you are running.

Thanks,

R.Seth

rajeshcv49 · ‎09-30-2015

I have configured as i mention below

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.4(5)
!
This platform has an ASA 5510 Security Plus license.
!
Ethernet0/0                66.128.148.220 YES CONFIG up
Ethernet0/1                10.1.1.253      YES CONFIG up
Ethernet0/2                66.128.148.228 YES manual up
!
nat (inside) 1 0.0.0.0 0.0.0.0
!
global (outside) 1 interface
global (outside1) 1 interface
!
route outside 0.0.0.0 0.0.0.0 66.128.148.217
!