Re: Force ASA traffic out specific interface

mega5llc1 · ‎06-02-2011

I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.

The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet.

When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.

I get the following errors when I try to open google.com from a production server:

Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?

varrao · ‎06-02-2011

Hi Scott,

First of all you need to have a default route for the traffic going in from inside2 to outside2, and then try adding the following config:

static (outside2,inside2) 0.0.0.0 0.0.0.0

sysopt noproxyarp inside2

it would divert all the traffic from inside 2 to outside2 interface.

let me know if it works.

Thanks,

Varun

Thanks,
Varun Rao

mega5llc1 · ‎06-02-2011

Varun,

I'm anxious to try your suggestion, but I don't think i'm using the right commands in the CLI or configuring it correctly in ASDM. I apologize for my limited knowledge but could you reply with exact syntax?

Thanks

varrao · ‎06-02-2011

HI Scott,

For CLI, these are exactly the correct syntax, make sure you enter the config terminal by doing "config t".

ASA(config)# static (outside2,inside2) 0.0.0.0 0.0.0.0

ASA(config)# sysopt noproxyarp inside2

ASA9config)# route outside2 0.0.0.0 0.0.0.0 2

hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

mega5llc1 · ‎06-02-2011

172.16.4.129 = inside2 interface IP

I just executed this input:

ASA# config t

ASA(config)# static (outside2,inside2) 0.0.0.0 0.0.0.0

ASA(config)# sysopt noproxyarp inside2

ASA(config)# route outside2 0.0.0.0 0.0.0.0 172.16.4.129

****The VPN connection on outside/inside breaks, so I assume it's the wrong IP and remove it****

ASA(config)# no route outside2 0.0.0.0 0.0.0.0 172.16.4.129

ASA(config)# route outside2 0.0.0.0 0.0.0.0

ERROR: Cannot add route entry, possible conflict with existing routes

Should the be the gateway address of my firewall (i.e. router) instead of the IP actually configured on the device?

varrao · ‎06-02-2011

Hi Scott,

Yes, the ip address would be the IP of your router which is connected to the outside2 interface.

To check what all static routes are configured on your FW, do "show run route".

Thanks,

Varun

Thanks,
Varun Rao

mega5llc1 · ‎06-02-2011

ASA(config)# route outside2 0.0.0.0 0.0.0.0

***this broke my VPN connection***I'm not sure why?

Here is the current output:

ASA(config)# sho run route

route outside 0.0.0.0 0.0.0.0 2

route inside2 0.0.0.0 0.0.0.0 4
route inside 172.16.0.0 255.255.0.0 2

I am now noticing in the syslog that the requests are going from inside2 to outside2, but the SYN timeout error messages still exist, which is probably why the web pages will not load. I'm very confused as to why my VPN on the outside interface breaks when I try to set a default route on the outside2 interface.