cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
858
Views
0
Helpful
7
Replies

Static VS Route

t805139
Level 1
Level 1

Good Day, I have a question ,

I have a ASA 5505 and 2 isp's and a security plus license, what I am trying to accomplish is the following

ISP1 = Default Route

ISP2 = Special Traffic

What I have done is

route ISP1 0 0 ( My ISP 1 DFG ) 1

route ISP2 0 0 ( My ISP 2 DFG) 254

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

Now I do have a web service that I need to go out ISP1 that uses port 80

Now to my Question !!!

if I add an additional route like

route ISP1 xxx.xxx.xxx.xxx 255.255.255.255 ( My ISP 1 DFG ) 1

Will the ASA follow the route statement or the static statement?

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

I would say it will follow the static nat statement,

What you could do is to configure a static nat statement for that web-server on the ISP1 and put it on the top of the hierarchy of NAT statements,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I just though about that so it would look like this

static (ISP1,inside) tcp 0.0.0.0 80 xxx.xxx.xxx.xxx8 80

static (ISP1,inside) tcp 0.0.0.0 443 xxx.xxx.xxx.xxx 443

static (ISP1,inside) tcp 0.0.0.0 80 yyy.yyy.yyy.yyy 80

static (ISP1,inside) tcp 0.0.0.0 443 yyy.yyy.yyy.yyy 443

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy are the 2 web pages I need going out ISP1

Hello,

Well why dont you be more specific, on the ISP1 nat you should use the especific IP addresses instead of 0.0.0.0

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WARNING: mapped-address conflict with existing static

  TCP ISP2:0.0.0.0/80 to inside:0.0.0.0/80 netmask 0.0.0.0

ERROR: unable to reserve port 80 for static PAT

ERROR: unable to download policy

this does not seem to work

hmmm

Hello,

Share the updated config

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

static (ISP2,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

static (ISP2,inside) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

and as soon as i try the more specifuic nat i says it has need reserved

Hello,

Correct,

Because you need to remove the previous ones first,

Now on the more specific ones use specific IP's

So it will be

no static (ISP2,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

no static (ISP2,inside) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

static(ISP1,INSIDE) TCP 4.2.2.2 80 XX.X.X 80

static (ISP2,inside) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

static (ISP2,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: