From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Thu Sep 27 2007 - 04:50:35 ART
try putting this in your configuration:
global (inside) 1 interface
With ASA/PIX even if you have NAT-Control disabled (i.e. 'no nat-control'),
once you have a dynamic translation on the higher security interface like
inside (with a nat statement), you need to have corresponding global
statements (or appropriate NAT exemption).
Regards
Farrukh
On 9/27/07, Tim Curci <timcurci@roadrunner.com> wrote:
>
> Quick question.
>
> I am doing a perimeter configuration with two ASAs connecting to two
> different
> ISPs.
>
> On the primary internet connection I am trying to do SLA (20 second
> interval)
> to the next hop of the primary ISP with a secondary default route (ip
> route
> 0.0.0.0 0.0.0.0 10.1.1.1 254) back to the inside part (inside interface)
> of
> the network to the other ASA.
>
> The inside interfaces of both ASAs are on the same private network.
>
> Same-security-traffic intra-interface has been enabled and I am running
> 7.2.2
> code.
>
> When I disconnect the primary connection, the secondary route is inserted
> into
> the routing table of the primary ASA, however, the packets are being
> dropped.
> (i.e. they are not making it to the backup default next hop of 10.1.1.1).
>
> Packet tracer seems to indicate that the packets are being dropped at the
> primary ASA because a global pool could not be found. I have "nat (inside)
> 1
> 0.0.0.0 0.0.0.0" and PAT on the outside interface with the ASA connecting
> to
> the primary ISP.
>
> Any thoughts?
>
> The alternative would be to add a switch to the outside of the ASAs and
> have
> the secondary default route go thru a DMZ via SLA. I have the public
> addresses
> available, however, I am trying to avoid this.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART