01-26-2014 11:16 AM - edited 03-11-2019 08:36 PM
Hi
I have two cisco ASA routers & wish to connect them together so that traffic between is permitted with out going outside interface.
Two asa are located at in ONE office and two have separate internet connection (ISP) configured.
So here is what I did so far.
configure one of the interface on each ASA with some IP adddress.
ASA 1 ------- interface 0/6 10.1.1.1 (ASA X 1512)
ASA 2 --------- interface 0/5 10.2.2.2 (ASA 5055)
now connected a Ethernet cable to these inferface.
I was able to addd a route on asa 2.
route add interface0/5 10.1.1.0/24 10.2.2.2
but when I add route on ASA 1 I get the following error.
route add interface0/6 10.2.2.2/24 10.1.1.1
%invalid next hop address it belongs to one of our interface.
01-26-2014 02:14 PM
Hi,
Seems to me that you are trying to configure a route that would tell the ASA to route traffic towards one network towards its own interface IP address, which doesnt really make sense as the nexthop should be some other devices IP address.
I am not quite sure what you are trying to achieve. Seems to me that you are connecting 2 ASA firewalls but I am still not sure what the purpose of this link is.
I think we would need some more information what you are attempting to achieve.
But the problem with the above addition of the route is that you are trying to route a remote network towards the same devices own interface IP address.
- Jouni
01-27-2014 02:48 PM
Sorry if I was not clear
I have two separate ISPs connecting two two separate ASAs.. Two asa are now connecting separate LANs.
Now I want to communicate between LANs.
So I connected an ethernet cable bw ASAs and trying to configure the route.
But not able to establish
Here is the configuration of ASA where I am faceing problem, while trying to add route
route add voice-interface 10.1.1.1/24 255.255.255.0 10.2.2.2 1
I get error says
route already exsists
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 0.2.5.2 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside2
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/5
nameif voice-interface
security-level 100
ip address 10.1.1.1 255.255.255.0
!
object network NETWORK_OBJ_12.1.3.0_2
subnet 12.1.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network OBJ_ALL_NETWORK
subnet 0.0.0.0 0.0.0.0
description Any Network
object network voice-asa-network
subnet 10.2.2.0 255.255.255.0
object network 10.1.1.1
host 10.1.1.1
access-list outside0_cryptomap extended permit ip 192.168.1.0 255.255.255.0 12.1.3.0 255.255.255.0
access-list inside2_access_in extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside2,outside0) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_12.1.3.0_24 NETWORK_OBJ_12.1.3.0_24 no-proxy-arp route-lookup
!
object network OBJ_ALL_NETWORK
nat (any,outside0) dynamic interface
route outside0 0.0.0.0 0.0.0.0 0.2.5.2 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside0_map 1 match address outside0_cryptomap
crypto map outside0_map 1 set pfs
crypto map outside0_map 1 set peer 9.2.5.1
crypto map outside0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside0_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside0_map interface outside0
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
group-policy GroupPolicy_6.2.5.1 internal
group-policy GroupPolicy_6.2.5.1 attributes
vpn-tunnel-protocol ikev1 ikev2
!
class-map inspection_default
match default-inspection-traffic
!
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: