Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
2
Replies

Connecting Two ASAs together via local interface

chelapurath
Level 1
Level 1

‎01-26-2014 11:16 AM - edited ‎03-11-2019 08:36 PM

Hi

I have two cisco ASA routers & wish to connect them together so that traffic between is permitted with out going outside interface.

Two asa are located at in ONE office and two have separate internet connection (ISP) configured.

So here is what I did so far.

configure one of the interface on each ASA with some IP adddress.

ASA 1  ------- interface 0/6   10.1.1.1  (ASA X 1512)

ASA 2 --------- interface 0/5  10.2.2.2  (ASA 5055)

now connected a Ethernet cable to these inferface.

I was able to addd a route on asa 2.

route add interface0/5 10.1.1.0/24  10.2.2.2

but when I add route on ASA 1 I get the following error.

route add interface0/6 10.2.2.2/24  10.1.1.1

%invalid next hop address it belongs to one of our interface.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-26-2014 02:14 PM

Hi,

Seems to me that you are trying to configure a route that would tell the ASA to route traffic towards one network towards its own interface IP address, which doesnt really make sense as the nexthop should be some other devices IP address.

I am not quite sure what you are trying to achieve. Seems to me that you are connecting 2 ASA firewalls but I am still not sure what the purpose of this link is.

I think we would need some more information what you are attempting to achieve.

But the problem with the above addition of the route is that you are trying to route a remote network towards the same devices own interface IP address.

- Jouni

0 Helpful

chelapurath
Level 1
Level 1
In response to Jouni Forss

‎01-27-2014 02:48 PM

Sorry if I was not clear

I have two separate ISPs connecting two two separate ASAs.. Two asa are now connecting separate LANs.

Now I want to communicate between LANs.

So I connected an ethernet cable bw ASAs and trying to configure the route.

But not able to establish

Here is the configuration of ASA where I am faceing problem, while trying to add route

route add voice-interface 10.1.1.1/24  255.255.255.0  10.2.2.2 1

I get error says

route already exsists

interface GigabitEthernet0/0

nameif outside0

security-level 0

ip address 0.2.5.2 255.255.255.252

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

nameif inside2

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/5

nameif voice-interface

security-level 100

ip address 10.1.1.1 255.255.255.0

!

object network NETWORK_OBJ_12.1.3.0_2

subnet 12.1.3.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network OBJ_ALL_NETWORK

subnet 0.0.0.0 0.0.0.0

description Any Network

object network voice-asa-network

subnet 10.2.2.0 255.255.255.0

object network 10.1.1.1

host 10.1.1.1

access-list outside0_cryptomap extended permit ip 192.168.1.0 255.255.255.0 12.1.3.0 255.255.255.0

access-list inside2_access_in extended permit ip 192.168.1.0 255.255.255.0 any

nat (inside2,outside0) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_12.1.3.0_24 NETWORK_OBJ_12.1.3.0_24 no-proxy-arp route-lookup

!

object network OBJ_ALL_NETWORK

nat (any,outside0) dynamic interface

route outside0 0.0.0.0 0.0.0.0 0.2.5.2 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association pmtu-aging infinite

crypto map outside0_map 1 match address outside0_cryptomap

crypto map outside0_map 1 set pfs

crypto map outside0_map 1 set peer 9.2.5.1

crypto map outside0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside0_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside0_map interface outside0

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes128-sha1 3des-sha1

group-policy GroupPolicy_6.2.5.1 internal

group-policy GroupPolicy_6.2.5.1 attributes

vpn-tunnel-protocol ikev1 ikev2

!

class-map inspection_default

match default-inspection-traffic

!

!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card