Showing results for 
Search instead for 
Did you mean: 

Routing to one destination from two VLAN's

Ivo Ruetsche

Hi all

We have on one side an administrative net (, that have to reach hosts in some different VLAN's ( and for example) through a vpn tunnel. The problem is, that the default GW from the hosts in the VLAN's is not the same ASA like the endpoint from the tunnel.

I attach a pic, where explain the situation (hopefully).

On the ASA with the IP i set a route:

asa2(config)# route inside_vlan260


So, i can reach now all the hosts from the external network ( who are in the subnet - that works fine.

When i add another route for the hosts from the subnet, i got this error:

asa2(config)# route inside_vlan20
ERROR: Cannot add route entry, conflict with existing routes

Hmmm, okay, it's the same destination, but a different interface and a different gateway...

Any idea how i can solve this without setting static routes on the hosts?

ASA Software Version: 9.1(2)

Thanks a lot...


1 Reply 1

Jouni Forss


Does seem like a little problematic setup especially when talking about having 2 ASA firewalls.

So if I understood correctly the ASA at ISP2 is the default gateway for the LAN networks between the 2 ASAs and this causes problem with traffic forwarding.

One option would I guess be that you specifically route the network on the actual servers towards the ISP1 ASA while the default route would still be pointing towards the ISP2 ASA. If there is need to do this for several hosts or whole network then naturally its not a very desirable setup.

If you were to do this on the ISP2 ASA with the routes you mention then the routes would not be enough to pull this off.

The first problem with the above apply of routes is that you use the same/default metric. The other one has to have a worse metric. Naturally this also means that as long as ASA looks at its routing table it will forward the traffic destined to that destination network always using the route with better metric.

What you would have to do (if I am correct) is to use NAT to make the traffic take an U-turn on the Vlan20 and Vlan260 interfaces on the ISP2 ASA. The NAT will essentially first cause the ASA to choose the correct interface to forward the traffic out off while the route (even with worse metric) will then handle the forwarding of traffic towards the desired gateway.

So it would seem to me that ISP2 ASA needs atleast the following configurations

  • First command (if not issued yet) enables traffic to enter and leave the same interface
  • Route commands with different metrics to same destination networks using different interfaces/gateways
  • NAT configurations, each of which tell the ASA that when traffic is coming from the VLANX towards REMOTE then the outgoing/egress interface should be the same interface where the traffic entered.

same-security-traffic permit intra-interface

route inside_vlan20 1

route inside_vlan260 2

object network VLAN20


object network VLAN260


object network REMOTE


nat (inside_vlan20,inside_vlan20) source static VLAN20 VLAN20 destination static REMOTE REMOTE

nat (inside_vlan260,inside_vlan260) source static VLAN260 VLAN260 destination static REMOTE REMOTE

I have not really had a need to do such a configuration before.

Using "packet-tracer" would seem to indicate it behaves as wanted on my own test ASA.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers