Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7128
Views
0
Helpful
29
Replies

multiple default route in ASA

Go to solution
moussa.malqui1
Level 1
Level 1

‎02-04-2017 03:03 AM - edited ‎03-12-2019 01:53 AM

Hi all,

How ca i define multiple default route in ASA?

route tcvpn 0 0 10.240.20.1

route cacvpn 0 0 10.240.30.1 

whaen i put the second route i get this route is aleready exisit. what is the solution?

1 person had this problem
Labels:
0 Helpful
29 Replies 29

Go to solution
Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-13-2017 04:04 AM

It is correct that you would access the service using 10.240.2.28 instead of 10.240.1.28.  But NAT would need to be done on the router and not the ASA.  Or optionally you could do the NAT at the remote side.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-13-2017 01:22 PM

I defined this NATed ip address but i didn't get access to ressources services in remote site, in the router isp the vpn link is etablished to the remote site, but my objectif is to get access to the services 10.240.1.28 by two gatway 10.240.20.1 for tcvpn and 10.240.30.1 for cacvpn any solution i can put in my asa?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-16-2017 12:50 PM

Sorry for the late reply as I have been quite busy lately with work and family.

The only option then is to enable tcp bypass or traffic zone for ECMP to account for asynchronous routing.  Only using traffic zones will allow you to have multiple routes to the same destination with the same metric.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-10-2017 10:53 AM

Thanks Marius, but how can i NAT those services at one of the site, can you explain more? whatis commands i should put?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-13-2017 04:02 AM

Since both VPNs are terminated on the same router you will need to do the NAT on the router and not the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎02-04-2017 08:36 AM

I'm not sure what you really want to achieve, but it's very likely that PBR is the solution.

0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Karsten Iwen

‎02-10-2017 10:41 AM

thanks Karsten but how can i define it in my ASA version 9.2?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-10-2017 11:02 AM

If you want to use PBR, though I do not believe this will solve your problem, you will need to upgrade to version 9.4(1) or higher.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-04-2017 12:47 PM

Check your other post.  You need to setup static routes for the remote VPN subnets.  If there are many remote subnets I suggest summarizing them.

Although, zoned ECMP would allow you to setup default routes pointing out each interface, the problem you will run into is that traffic will be load-balanced across these interfaces, meaning traffic that is destined for VPN1 might be sent out the wrong interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-04-2017 02:50 PM

thanks Marius but when i setup static routes for the subnet i get "error this interface is directly connected"

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-04-2017 02:57 PM

You need to define the remote network not the network connected to the ASA interface.  To be more specific, the network at the remote side of the site to site VPN tunnel.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-04-2017 03:15 PM

thanks Marius i understand what you say . so i think i will put  zoned ECMP because i don't have the address ip for site to site VPN i should contact the provider

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to moussa.malqui1

‎02-04-2017 03:20 PM

As mentioned earlier zoned ECMP will not solve your issue as this will just load-balance the traffic over the interfaces.  That means that traffic for one VPN site could be sent out the wrong interface.  to solve your problem you MUST get the remote site adresses and enter static routes. 

But is the site to site VPN terminated on the ASA or the ISP router?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-04-2017 03:23 PM

the site to site VPN terminated on the ISP router 

0 Helpful

Go to solution
moussa.malqui1
Level 1
Level 1
In response to Marius Gunnerud

‎02-16-2017 01:59 PM

thanks Marius

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card