ASA problem


I have a scenario where ASA is connected with two distinct ISP's. is the address on outside1 interface of the ASA to connect with ISP1 and is the address on outside2 interface of the ASA to connect with ISP2.

I am running ospf on ASA and announce to those ISP's the class In order to do that, I configured another physical interface with name inet_adv and advertise it through ospf dynamic protocol.  Both ISP's receive my class, but I have no connectivity between ISP's and (the ip assigned to interface inet_adv) or other ip's from this network subnet.

I don't know what could be the problem. I know ASA should do proxy arp to respond to those ip's.


Thank you for your answer




  • Hi,

      ASA does not do proxy-arp like routers do; ASA does proxy-ARP only for NAT'ed addresses. Moreover ASA architecture does not allow you to transit the ASA for control-plane traffic (like traffic comming inbound on your outside1 interface is dropped if destined to ASA on any other interfaces). For data-plane traffic, check ACL, security-levels, NAT to see why traffic is not allowed; test using packet-tracer.



  • Hi Cristian,


    Thank you for your answer. My problem is , as you wrote, that "traffic comming inbound on your outside1 interface is dropped if destined to ASA on any other interfaces". Do you know if exist a workaround for this ASA default behaviour (ASA not capable of routing packets to a far end interface)?


    Thank you again

  • Hi,

    This is by design, there is no workaround; but to begin with, why do you even need that? Why can't you allow managament/control-plane traffic on the interface closest to the source? 

    The only exception to this is with an IPsec tunnel by using the management-interface functionality, where you basically terminate the IPsec tunnel on the ASA outside1 interface but you are allowed to manage it on the outside2 interface for example.



  • I will explain my scenario:

    I have 4 interfaces on ASA:
    outside_advertised: - subnet advertised in ospf to isp1 and isp2

    I want that ip's from subnet to be used in web vpn and ipsec vpn (not the ip's configured in outside interfaces) in order to be redundant if a provider fails and also be able to port forward for example to
    So basically the desired traffic flow would be: ISP1 -> outside_isp1 -> outside_advertised -> inside which I understand is not supported.
    That's why I'm looking for a workaround.
    Thank you again for your quick responses.

  • You want this for SSLVPN clientless or client-based with anyconnect? IPsec is it site-to-site or remote-access; if remote-access is it using IKEv1 (old IPsec client of Cisco) or IKEv2 (anyconnect) ? Your solution is not a valid design.

  • I want client-based with anyconnect and ipsec site-to-site.

  • Hi,

    For SSL VPN with anyconnect, make use of Anyconnect profiles and you can configure primary gateway to be outside1 and secondary gateway to be outside2 (assuming outside1 and outisde2 are public IP addresses).

    For site-to-site, as ASA supports only CMAP VPN (without a dedicated logical interface for the IPsec tunnel), use multiple "set peer" entries om the remote gateway with first being the outside1 and second being the outside2, also you can configure which one to be primary/preferred.



  • Ok, so this can be done. But will I be able to do port forwarding for the ip's in the announced subnet (ex. to

  • Yes, but the NAT configuration will not involve that interface of the ASA, only outside1/outside2 and the inside (where resides). 

  • As I understood, the following config should work (I want to port forward port 3389 in port 3389 for connections made on both internet service providers)?

    object network OBJ-

    object network OBJ-

    object service OBJ-TCP-3389
      service TCP source eq 3389

    nat (inside,outside_isp1) source static OBJ- OBJ- service OBJ-TCP-3389 OBJ-TCP-3389
    nat (inside,outside_isp2) source static OBJ- OBJ- service OBJ-TCP-3389 OBJ-TCP-3389



Sign In or Register to comment.