From: Tim Curci (timcurci@roadrunner.com)
Date: Wed Sep 26 2007 - 23:08:20 ART
Quick question.
I am doing a perimeter configuration with two ASAs connecting to two different
ISPs.
On the primary internet connection I am trying to do SLA (20 second interval)
to the next hop of the primary ISP with a secondary default route (ip route
0.0.0.0 0.0.0.0 10.1.1.1 254) back to the inside part (inside interface) of
the network to the other ASA.
The inside interfaces of both ASAs are on the same private network.
Same-security-traffic intra-interface has been enabled and I am running 7.2.2
code.
When I disconnect the primary connection, the secondary route is inserted into
the routing table of the primary ASA, however, the packets are being dropped.
(i.e. they are not making it to the backup default next hop of 10.1.1.1).
Packet tracer seems to indicate that the packets are being dropped at the
primary ASA because a global pool could not be found. I have "nat (inside) 1
0.0.0.0 0.0.0.0" and PAT on the outside interface with the ASA connecting to
the primary ISP.
Any thoughts?
The alternative would be to add a switch to the outside of the ASAs and have
the secondary default route go thru a DMZ via SLA. I have the public addresses
available, however, I am trying to avoid this.
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART