Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1325
Views
0
Helpful
7
Replies

Static VS Route

t805139
Level 1
Level 1

‎10-18-2012 09:14 AM - edited ‎03-11-2019 05:11 PM

Good Day, I have a question ,

I have a ASA 5505 and 2 isp's and a security plus license, what I am trying to accomplish is the following

ISP1 = Default Route

ISP2 = Special Traffic

What I have done is

route ISP1 0 0 ( My ISP 1 DFG ) 1

route ISP2 0 0 ( My ISP 2 DFG) 254

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

Now I do have a web service that I need to go out ISP1 that uses port 80

Now to my Question !!!

if I add an additional route like

route ISP1 xxx.xxx.xxx.xxx 255.255.255.255 ( My ISP 1 DFG ) 1

Will the ASA follow the route statement or the static statement?

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-18-2012 09:59 AM

Hello,

I would say it will follow the static nat statement,

What you could do is to configure a static nat statement for that web-server on the ISP1 and put it on the top of the hierarchy of NAT statements,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

t805139
Level 1
Level 1
In response to Julio Carvajal

‎10-18-2012 10:01 AM

I just though about that so it would look like this

static (ISP1,inside) tcp 0.0.0.0 80 xxx.xxx.xxx.xxx8 80

static (ISP1,inside) tcp 0.0.0.0 443 xxx.xxx.xxx.xxx 443

static (ISP1,inside) tcp 0.0.0.0 80 yyy.yyy.yyy.yyy 80

static (ISP1,inside) tcp 0.0.0.0 443 yyy.yyy.yyy.yyy 443

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy are the 2 web pages I need going out ISP1

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to t805139

‎10-18-2012 10:03 AM

Hello,

Well why dont you be more specific, on the ISP1 nat you should use the especific IP addresses instead of 0.0.0.0

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

t805139
Level 1
Level 1
In response to Julio Carvajal

‎10-18-2012 11:27 AM

WARNING: mapped-address conflict with existing static

  TCP ISP2:0.0.0.0/80 to inside:0.0.0.0/80 netmask 0.0.0.0

ERROR: unable to reserve port 80 for static PAT

ERROR: unable to download policy

this does not seem to work

hmmm

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to t805139

‎10-18-2012 11:35 AM

Hello,

Share the updated config

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

t805139
Level 1
Level 1
In response to Julio Carvajal

‎10-18-2012 11:38 AM

static (ISP2,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

static (ISP2,inside) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

and as soon as i try the more specifuic nat i says it has need reserved

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to t805139

‎10-18-2012 11:46 AM

Hello,

Correct,

Because you need to remove the previous ones first,

Now on the more specific ones use specific IP's

So it will be

no static (ISP2,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

no static (ISP2,inside) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

static(ISP1,INSIDE) TCP 4.2.2.2 80 XX.X.X 80

static (ISP2,inside) tcp 0.0.0.0 https 0.0.0.0 https netmask 0.0.0.0

static (ISP2,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top