Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
2
Replies

I need help with static and default routes on ASA Firewall.

anthony_chedid1
Level 1
Level 1

‎04-01-2016 06:08 AM - edited ‎03-12-2019 12:34 AM

Hello, 

As you can see in my topology (attached below), the main idea of my project is to connect two remote network through WAN with an IPSec/GRE tunnel and to let one PC (PC3), from the network on the left, access the Internet or the other network (whichever it desires).

The (fake) Internet is emulated by 4 ISPs and a router at the center. They are configured with EIGRP.

The real Internet is the Cloud on the top.

At first I configured the IPSec/GRE tunnel (with ISP redundancy using ip sla) without configuring access to the real Internet. Everything works great and there are no problems and in order for it to work, a default route must be configured on each firewall with the "route 0 0" command.

Next I needed to configure the access to the internet but a problem arose. How can assign a route for PC3 in order to access the internet if the command route 0 0 is already in use. If I remove it, I create more problems : Too many confusing static routes, loss of redundancy,... And by the way I'm not allowed to use EIGRP or OSPF for the Firewall.

I did some research and found something called "route-map" but apparently it doesn't work with ASA.

So, in short, I need to have an IPSec/GRE tunnel from one network to another with redundancy over the ISPs and to give the PC3 access to both the other network and the internet. How can I fix the static/default route problem on the Firewall FW-1 ?

Thank you

Labels:
Preview file
106 KB
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎04-02-2016 12:18 AM

What version ASA are you running?

You could set up an SLA track and configure two default routes, one route with a higher admin distance, and track the reachability on the primary default route.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

anthony_chedid1
Level 1
Level 1
In response to Marius Gunnerud

‎04-04-2016 11:41 PM

Thanks for replying,

I'm using ASA 8.4.2. I have already set up an SLA track and configured two default routes on the ISPs so that the IPSec tunnel will still be up if either one of the ISP routers stops working. Plus an SLA track will not solve my problem. As I know the SLA track is used for redundancy which isn't what I'm looking for here.

I want to give PC3 the ability to access the Internet or the other network whenever it wants.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card