07-02-2012 01:04 AM - edited 03-11-2019 04:25 PM
Hi Guys,
Currently we are running one ISP which incoming and outgoing traffice will go throught the ISP, lets call it ISP1.
We have this VC network and the traffic are very low and we was thinking to shift the web services incoming traffice to this traffic, lets call it ISP2.
I created a test web server for testing.
Thing that i have done for the test environment:-
1. Create new interface (outside2) for ISP1
2. Create ACL to allowed the test web server http port
3. Create static NAT for the test web server
4. Static Route the outside2 interface to ISP2
Attach is the simple diagram that i has created.
Everything worked fine until I enabled the "ip verify reverse-path outside2". The test web no longer can access from outside. But when i turn the feature off, it was able to access again.
My question is why this will happen? Is there particular setting i need to take note or change in order to use the reverse-path?
Any advise are very helpful.
Solved! Go to Solution.
07-03-2012 06:19 AM
Correct, having 2 default routes on ASA towards 2 different interfaces are not a supported configuration.
Here is the doc for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007
Quoted from the doc:
If you attempt to define more than three equal cost default routes or a default route with a different interface than a previously defined default route, you receive the following message:
"ERROR: Cannot add route entry, possible conflict with existing routes."
07-02-2012 05:48 AM
Not too sure how it works as you can't have 2 default gateway configured on an ASA.
And when you enabled "ip verify reverse-path" since you have 2 outside interfaces with 0.0.0.0 route, then it can't really check against the routing table for the source subnet as you have 2 different interfaces with the same route.
07-02-2012 10:08 PM
Hi Jennifer,
Thanks for the clarification, but the route we set is based on interface. Example:-
route outside 0.0.0.0 0.0.0.0 203.1.1.1
route outside2 0.0.0.0 0.0.0.0 203.2.1.1
Will it conflict with each other too?
07-03-2012 06:19 AM
Correct, having 2 default routes on ASA towards 2 different interfaces are not a supported configuration.
Here is the doc for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007
Quoted from the doc:
If you attempt to define more than three equal cost default routes or a default route with a different interface than a previously defined default route, you receive the following message:
"ERROR: Cannot add route entry, possible conflict with existing routes."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide