topic Cisco ASA routing issue part 2 in Routing and SD-WAN

Cisco ASA routing issue part 2

TECH-JEFF — Tue, 05 Mar 2019 11:20:06 GMT

Hi guys, not sure if you can still recall my previous post about routing issue, hehe. Anyways this one is new. When I inherited this Cisco ASA device from a previous Net Ad. I haven't modified much of his settings. BTW, Am I allowed to post ip addresses here for a more detailed explanation? Written in BLUE are comments

Anyways, here is the issue.

device has static routes:

//Below are local ip scopes

192.168.130.x 255.255.255.0 192.168.130.x(virtual gateway)

192.168.131.x 255.255.255.0 192.168.131.x(virtual gateway)

//Below are default routes to WAN(ISP)

0.0.0.0 0.0.0.0 x.x.x.x.ISP1

0.0.0.0 0.0.0.0 x.x.x.xISP2

//Interface

G0/0: inside security level 100 192.168.150.x 255.255.255.0

G0/1 DMZ security level 50 172.16.x.x 255.255.255.0

G0/2: Outside-ISP2 seucirty level 0 x.x.x.x 255.255.255.248

G0/3: Outside-ISP1 security level 0 x.x.x.x 255.255.255.248

//Access Rules

Zone DMZ

any any ip allow

any any icmp allow

any any ip deny implicit rule

Zone inside

any any icmp permit

any any ip permit

any any ip deny implicit rule

Zone management //ignore this since management port is not being use as of the moment

any any ip permit

any any icmp permit

any any ip deny implicit rule

Zone Outside-ISP2

any x.x.x.x (one of ISP2 ip block useable ip) permit

any x.x.x.x (another of ISP2 ip block useable ip) permit

any any icmp and domain permit

any any deny implicit rule

Zone Outside-ISP1

any any domain permit

any any ip deny implicit rule

//Lastly NAT rules

DMZ (2 static routes)

1. Static x.x.x.x NAT'ed to ISP2 one of the useable ip

2. Static x.x.x.x NAT'ed to ISP2 second of the useable ip

Inside (1 Exempt rules, 1 static rules, 2 dynamic rules)

1. Exempt any vlan(of the virtual gateway)/24

2. Static InsideNetwork /16 (all local ip's i.e 192.168.130.x 192.168.131.x, etc)

3. Dynamic policy any (going to a different WAN IP)

4. Dynamic any

Here's the situation. Currently we're all being redirected to our ISP2 and since ISP1 is not being fully utilized, I was thinking if I could switch the others in ISP1. So far what I did

1. Create an object for my IP

2. Added an "Access Rule" in "inside" interface and moved it to the top and destination address is "ISP1"

But I'm still getting the ISP2 WAN IP. So am I lacking something here?

Thanks in advance and good day!

Jeff

Hi Jeff,

josh000014 — Sun, 14 Feb 2016 04:14:06 GMT

Hi Jeff,

What version of ASA code are you running? You will basically need to create a dynamic NAT from the inside interface to the ISP1. Assuming you are running ASA 8.3+ code you will do the following:

object network inside

subnet 10.10.10.0

nat (inside,ISP1) dynamic interface

This takes the inside subnet and will NAT/PAT it to the ISP1 interface. You will need to either move this rule below your current dynamic rule or remove your dynamic rule from ISP2.

Also, what metrics do you have set for your default routes? I would look at that if the above snippet doesn't work.

Josh

Hi Josh,

TECH-JEFF — Mon, 15 Feb 2016 01:11:34 GMT

Hi Josh,

Our Cisco ASA is using version 8.2(4)

I need to set it to 255.255.255.255 subnet since as of the moment for testing purposes just my pc will switch over to ISP1

nat (inside) 1 Test-Jefferson 255.255.255.255

This is the Dynamic NAT rule I've created but once applied this NAT rule, my internet just shuts down.

Our metrics are:

0.0.0.0 0.0.0.0 ISP2 metric 1

0.0.0.0 0.0.0.0 ISP2 metric 5

I think this is the reason why I'm still redirected to ISP2

Thanks

Jeff

Hi Jeff,

josh000014 — Mon, 15 Feb 2016 01:19:18 GMT

Hi Jeff,

Try with this

global (ISP2) 2 interface

nat (inside) 2 Test-Jefferson 255.255.255.255

Also you may need to do a deny in the nat ACL for the nat (inside) 1 for the host Test-Jefferson.

Josh