topic Yes, of course. Sorry mate. I in Network Security

Multiple WAN on same interface in ASA

Rawit2015 — Tue, 12 Mar 2019 08:34:36 GMT

Since I have never worked with ASA having a multiple WAN on same interface, how this can be achieved? My ISP has given me /29 IP address, and I assigned xxx.xxx.xxx.xxx/29 to one physical interface, set gw, route for gw, nat, access lists, etc. My question is, how can I use other WAN addresses from same scope and make forward each one of them for each internal subnet. For example: xxx.xxx.xxx.xxx/29 to 192.168.1.0/24, xxx.xxx.xxx.xxy/29 to 172.16.1.0/23, xxx.xxx.xxx.xxz/29 to 10.0.0.0/24...

Can someone provide an example?

Also how can this be achieved if each WAN is assigned with physical interface on ASA (if it is possible)?

Hello,

Boris Uskov — Wed, 23 Nov 2016 08:13:11 GMT

Hello,

This can be achived by configuring NAT rules.

For example,

object network host_01
 host 192.168.1.100
 nat (inside_01, outside) static xxx.xxx.xxx.xxx
object network host_02
 host 172.16.1.100
 nat (inside_02, outside) static xxx.xxx.xxx.xxy
object network host_03
 host 10.0.0.100
 nat (inside_03, outside) static xxx.xxx.xxx.xxz

If you have dedicated physical interfaces for different WAN, the configuration is pretty similar:

object network host_01
 host 192.168.1.100
 nat (inside_01, outside_01) static xxx.xxx.xxx.xxx
object network host_02
 host 172.16.1.100
 nat (inside_02, outside_02) static yyy.yyy.yyy.yyy
object network host_03
 host 10.0.0.100
 nat (inside_03, outside_03) static zzz.zzz.zzz.zzz

Hi Boris,

Rawit2015 — Thu, 24 Nov 2016 09:53:05 GMT

Hi Boris,

I am having multiple results now. At the customers site I've got reply from ASA about overlapping and when I came into our office and try to test once again, it was successfully added... One thing I noticed, when I set command (please check the host IP): (instead of two different hosts, I tried to set 2 WANs on same IP address)

I noticed that only last NAT was added xxx.xxx.xxx.xyy, but not xxx.xxx.xxx.xxx.

Also I have assigned one public WAN into phisical interface, as it has to be dynamic NAT. Does this somehow affect why it didn't accept the last static NAT?

object network host_01
 host 192.168.1.100
 nat (inside_01, outside) static xxx.xxx.xxx.xxx

object network host_01
 host 192.168.1.100
 nat (inside_01, outside) static xxx.xxx.xxx.xyy

Hi,

Boris Uskov — Thu, 24 Nov 2016 09:58:27 GMT

Hi,

Very easy, just create two objects with different names (host_01 and host_02) but with the same host IP:

object network host_01
 host 192.168.1.100
 nat (inside_01, outside) static xxx.xxx.xxx.xxx

object network host_02
 host 192.168.1.100
 nat (inside_01, outside) static xxx.xxx.xxx.xyy

Yes, of course. Sorry mate. I

Rawit2015 — Thu, 24 Nov 2016 12:25:42 GMT

Yes, of course. Sorry mate. I've been running constantly 3 days for approx 10h per day, so I missed one small thing which is quite logical, and that is object name. When I set object, and set new IP it only overwrote the the current object. Naming it differently it is creating new separate entity.... Of course.

What about assigning 1 WAN on physical interface. Will this affect somehow NAT rule that you set or I need to remove IP address from interface and set each IP as object and manipulate traffic with them? Can I use "IP assigned" WAN interface and get traffic for other WANs as well? Will router/firewall accept the packets even though on WAN interface is xxx.xxx.xxx.xxx, but traffic is sent for xxx.xxx.xxx.xxy?

Since I have never before set multiple WAN on same interface, what is happening in the background? ISP sends traffic for subnet xxx.xxx.xxx.xxx/29, two addresses are for network and broadcast, one is ISP gateway, and you have 5 left to use. Usually if there is /30, it would be 1:1 communication (ISP GW to your router/firewall) which is quite clear to me, but what is happening with 5 WANs? As I can see from command that you've set, "virtually assigned" as network objects, and NAT-ed to specific network or machine static 1:1, correct? Does this mean that traffic from ISP is sent via GW to firewall for all 5 WANs, and in the header of the packet, there is IP which declares which WAN it is? When firewall/router gets the packet, it interprets and forwards per rule that you've set or?

I assume that port forwarding is the same thing, you use interface which is assigned with IP address or?

I'll try to answer the

Boris Uskov — Thu, 24 Nov 2016 15:02:15 GMT

I'll try to answer the questions 🙂

What about assigning 1 WAN on physical interface. Will this affect somehow NAT rule that you set or I need to remove IP address from interface and set each IP as object and manipulate traffic with them?

No, you don't have to remove IP-address from interface. Moreover, you have to configure IP-address on interface to make routing work.

Can I use "IP assigned" WAN interface and get traffic for other WANs as well? Will router/firewall accept the packets even though on WAN interface is xxx.xxx.xxx.xxx, but traffic is sent for xxx.xxx.xxx.xxy?

Sure you can. The magic is with ARP protocol. When you don't have any NAT rule configured, ASA answers only to ARP requests for IP address, assigned on the interface. When you configure NAT rule, ASA begins to answer to ARP requests for both IP addresses (assigned to interface and configured in NAT rute.

Since I have never before set multiple WAN on same interface, what is happening in the background? ISP sends traffic for subnet xxx.xxx.xxx.xxx/29, two addresses are for network and broadcast, one is ISP gateway, and you have 5 left to use. Usually if there is /30, it would be 1:1 communication (ISP GW to your router/firewall) which is quite clear to me, but what is happening with 5 WANs?

Again, magic is with ARP. ARP works fine in the background.

As I can see from command that you've set, "virtually assigned" as network objects, and NAT-ed to specific network or machine static 1:1, correct? Does this mean that traffic from ISP is sent via GW to firewall for all 5 WANs, and in the header of the packet, there is IP which declares which WAN it is? When firewall/router gets the packet, it interprets and forwards per rule that you've set or?

Absolutely correct. When ISP receives the packet from somewhere outside with destination address xxx.xxx.xxx.xyy (virtually assigned) Provider's equipment already knows the route to xxx.xxx.xxx.xyy as directy connected network (xxx.xxx.xxx.xxx/29). The only information it needs to send the packet is the MAC-address. So it makes an ARP request. ASA with NAT rule configured to virtually assigned address xxx.xxx.xxx.xyy answers the ARP request with its MAC-address. So ISP's router can now successfully send the packet with destination address xxx.xxx.xxx.xyy. When ASA receives this packet, it matches IP-addess xxx.xxx.xxx.xyy with configured NAT rute, performs the untranslation to 192.168.1.100 and send the packet further.

I assume that port forwarding is the same thing, you use interface which is assigned with IP address or?

Yes. correct. With port forwarding you can use IP address of WAN interface in your NAT rule (PAT rule to be precise).

Thank you mate for clarifying

Rawit2015 — Thu, 24 Nov 2016 20:35:29 GMT

Thank you mate for clarifying things. Tomorrow I will configure ASA. The only thing what is left is ASA is somehow blocking Meraki cloud communication with switches. I noticed that Meraki is set quite long list of IPs and 4 ports for outbound traffic. By outbound, I presume they need permit rule on access list from those IPs to internal network for specific port. The only thing I am not sure if port fwd is needed, because by some logic, interface is set to be static so no IP assignment to Meraki sw, which again means you cannot point traffic as you don't know "where"... I am quite disappointed with Cisco Meraki documentation as it doesn't explain what is happening in the background. Does switches contact cloud service or (traffic should be state full inspected), and/or is the cloud service also sending traffic from the cloud towards switches which means you need to set access control rules for outside interface -> "in"...

Ah yes, one more thing. Do you have any experience with direct link ASA - HP MSM720 controller? On controller there is port that is set as VLAN 10. On other side is interface of ASA. Previous versions of IOS/5505 would allow to create interface VLAN 10, now I see that they've changed the logic and you need to create sub-interface and then assign IP and VLAN. The confusion starts in this area. By mistake I configured physical interface with native VLAN (by definition it is considered as VLAN 1), on other side is MSM720 with VLAN10. How is possible that I could ping ASA and vice versa if controller has VLAN 10, and ASA native VLAN? Moreover when I configured sub-interface with VLAN 10, and tried to ping controller (opened Wireshark) I didn't get any traffic?

Command that I used is:

#conf t

#interface GigabitEthernet 1/5.10

#vlan 10

#ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

#no shut

(Also on main interface I set no shutdown)...

Hello, Unfortunately I don't

Boris Uskov — Fri, 25 Nov 2016 07:03:40 GMT

Hello, Unfortunately I don't have any experience with Meraki, so not able to comment.

HP MSM720 - also never used. But I'll try to share my thoughts...

What does it mean "on other side is MSM720 with VLAN10"? It seems, that MSM has an access port with vlan 10. No trunk port (no 802.1q tagging).

ASA with native vlan 1 also does not perform any 802.1q tagging. So from VLAN perspective it absolutely does not matter, what vlan number is configured on access ports from both sides. That is why MSM is pingable when you made your first configuration.

ASA does not support Cisco Discovery Protocol (CDP), so, there is no way to get "Native vlan mistmatch" error.

When you changed your configuration on ASA to vlan 10, ASA starts to tag L2 frames on that interface with tag vlan 10 (802.1q trunk). The frame goes to MSM, but it is configured to accept only untagged frames. In this situation you have to change the port configuration on MSM to accept tagged frames in vlan 10.

When you used to have ASA5505, I suspect you had something like this:

interface Ethernet0/0
 switchport access vlan 10
interface vlan 10
 ip address xxx.xxx.xxx.xxx 255.255.255.0

Is this case Ethernet 0/0 is configured also as Access port (unless switchport mode trunk is configured), and it also does not tag frames.

Hi Boris,

Rawit2015 — Fri, 25 Nov 2016 08:08:45 GMT

Hi Boris,

to explain bit further. ASA is configured as native VLAN but no possibility to set VLAN ID as it is physical port that is configured (at least not on 5508X that I use and IOS 9.6.2). When you configure subinterface then you have possibility to set VLAN ID. Yes the MSM720 has untagged port, but again, if there is VLAN 10 untagged on controllers side, and NATIVE vlan (which I presume is VLAN 1) also access or untagged port.

Quote:

"ASA with native vlan 1 also does not perform any 802.1q tagging. So from VLAN perspective it absolutely does not matter, what vlan number is configured on access ports from both sides. That is why MSM is pingable when you made your first configuration."

How come that ID doesn't matter? This is "separation" of the network on the L2...

Hello, the separation on the

Boris Uskov — Fri, 25 Nov 2016 08:16:49 GMT

Hello, the separation on the L2 can be achived by 802.1q tagging. So, what is the problem? You have vlan 1 on ASA which is untagged and vlan 10 on MSM, which is also untagged. Yes, we have vlan id mistmatch, but everything works fine, isn't is?

Or. maybe, you want to have one IP subnet on vlan 1 and the other IP subnet on vlan 10? In this case you can simply use another physical interface on ASA (without creating any subinterfaces) and connect it dirrecty to MSM.

yeah, you are right. 11 years

Rawit2015 — Fri, 25 Nov 2016 08:43:06 GMT

yeah, you are right. 11 years ago I was doing CCNA and I forgot some basic things as last 5 years I was a developer. In this case I was confusing things with something else...

Thank you once again mate.

Cheers 🙂

You are welcome! Good luck! :

Boris Uskov — Fri, 25 Nov 2016 09:09:47 GMT

You are welcome! Good luck! 🙂

Hi Boris,

Rawit2015 — Thu, 01 Dec 2016 08:28:04 GMT

Hi Boris,

I have set everything and it works (at least regarding port forwarding). The thing that I am missing is internet connection from inside to outside. Static NAT is set and I can get from outside (multiple WAN) to that server per specific ports, but I don't have ability to go from server to "cloud/internet"

Can you please help me with this also?

(Here is the config - I know there is a lot of things that needs to be cleaned afterwards as I was trying to set, and failed miserably 🙂 )

: Saved

:
: Serial Number: XXXXXXXXX
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
: Written by enable_15 at 22:59:07.919 GMT Wed Nov 30 2016
!
ASA Version 9.6(1)
!
hostname HC-ClientASA
enable password xxxxxxxxxxxxxxxxxx encrypted
names
ip local pool Test_DHCP_VPN 10.20.30.0-10.20.30.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.74 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
description WAN for ServerTV
nameif ServerTV
security-level 80
ip address 192.168.96.1 255.255.255.0
!
interface GigabitEthernet1/5
description GuestWiFi interface for Access poitns
nameif GuestWiFi
security-level 100
ip address 172.16.64.1 255.255.248.0
!
interface GigabitEthernet1/6
description Parking interface To Server
nameif ParkingInterface
security-level 100
ip address 172.16.17.1 255.255.255.0
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Old WAN Interface
nameif WAN_OLD
security-level 0
ip address xxx.xxx.xxx.137 255.255.255.252
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network OLD_GW
host xxx.xxx.xxx.138
description Old GW Interface
object network GuestWiFi_NAT_OLD
subnet 172.16.64.0 255.255.248.0
description GuestWiFi OLD WAN
object network NEW_GW
host xxx.xxx.xxx.73
description Telia New Gateway
object network TestGw
subnet 192.168.1.0 255.255.255.0
description Test NAT
object network VPN_POOL_10.20.30.0
subnet 10.20.30.0 255.255.255.128
description VPN Pool
object network GuestWiFiNAT
subnet 172.16.64.0 255.255.248.0
description NAT for guestWiFi
object network inside_NAT_OLD
subnet 192.168.1.0 255.255.255.0
description Inside OLD WAN
object network ParkingSystem
subnet 172.16.17.0 255.255.255.0
description Parking system NAT
object network ParkingSystem_NAT_OLD
subnet 172.16.17.0 255.255.255.0
description Parking S OLD WAN
object network ParkingSystemServers
subnet xxx.xxx.xxx.0 255.255.255.0
description Public WAN from Parking System
object network ParkingSystemSubnet
subnet 172.16.17.0 255.255.255.0
description Parking System Subnet
object network GuestWiFi
subnet 172.16.64.0 255.255.248.0
description GuestWiFi object
object network ParkingServer1
host 172.16.17.3
description ParkingServer1
object network ParkingServer2
host 172.16.17.4
description Parking server 2
object service TCP_Parking_771
service tcp source eq 771
description Port for Parking server1
object service TCP_Parking_771_U
service udp source eq 771
description Port for parking server UDP
object service TCP_Parking2_9100
service tcp source eq 9100
description Parking for server 2 TCP
object service TCP_Parking2_9100_U
service udp source eq 9100
description TCP_Parking2_9100_UDP
object network TestLabNAT
subnet 192.168.1.0 255.255.255.0
description TestLab NAT
object network GuestWiFiLAB
subnet 172.16.64.0 255.255.248.0
object network ParkingInterfaceLAB
subnet 172.16.17.0 255.255.255.0
description Test Lab interface
object network ServerInternet
subnet 192.168.96.0 255.255.255.0
description Server Internet In
object network ServerTVLab
subnet 192.168.96.0 255.255.255.0
description Test Lab
object network ServerTV_OLD
subnet 192.168.96.0 255.255.255.0
object network ServerServer
host 192.168.96.2
description ConnectionToServer
object network NETWORK_OBJ_10.20.30.0_25
subnet 10.20.30.0 255.255.255.128
object network Parking
subnet 172.16.17.0 255.255.255.0
object network ParkingNAT
subnet 172.16.17.0 255.255.255.0
object network ParkingSystems
host xxx.xxx.xxx.120
object network ParkingInterfaceOLD_WAN
subnet 172.16.17.0 255.255.255.0
object network Server1
subnet 192.168.96.0 255.255.255.0
object network Server2
host 192.168.96.2
object service iPerfServer
service tcp source eq 5001
object network ServerNet
subnet 192.168.96.0 255.255.255.0
object network WAN2
host xxx.xxx.xxx.75
object network ServerTV2
host 192.168.96.2
object network HostNatToOutside
subnet 192.168.96.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service ParkingObj tcp-udp
port-object eq 771
port-object eq 9100
object-group service ParkingPortsNAT tcp-udp
description OpenPortsForParking
port-object eq 771
port-object eq 9100
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq 4500
service-object tcp-udp destination eq 500
service-object tcp-udp destination eq 5001
service-object tcp-udp destination eq 8090
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq snmp
object-group network DM_INLINE_NETWORK_6
network-object object ParkingServer1
network-object object ParkingServer2
object-group service NOC_Auth tcp-udp
port-object eq 8090
object-group service VPN_IPSec tcp-udp
port-object eq 4500
port-object eq 500
object-group service iPerf tcp-udp
port-object eq 5001
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list Test_Guest remark GuestWiFi network
access-list Test_Guest standard permit 172.16.64.0 255.255.248.0
access-list Test_Guest remark ParkingNetwork
access-list Test_Guest standard permit 172.16.17.0 255.255.255.0
access-list Test_Guest standard permit 192.168.96.0 255.255.255.0
access-list Test_Guest standard permit 192.168.1.0 255.255.255.0
access-list GuestWiFi_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list GuestWiFi_access_in extended permit object-group TCPUDP any any eq domain
access-list GuestWiFi_access_in extended permit ip any any
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any object-group ParkingObj
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any eq domain
access-list ParkingInterface_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ServerServer
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq https
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq ssh
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 8090
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 8090
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq snmp
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 5001
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 5001
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 500
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 4500
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 4500
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq isakmp
access-list ServerTVAccessList extended permit icmp any any echo-reply
access-list ServerTV_access_in extended permit icmp any any object-group DM_INLINE_ICMP_4
access-list ServerTV_access_in extended permit object-group TCPUDP any any eq domain
access-list ServerTV_access_in extended permit ip any any
access-list WAN_OLD_access_in extended permit object-group TCPUDP xxx.xxx.xxx.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group ParkingPortsNAT
access-list WAN_OLD_access_in extended permit ip object ParkingSystems object ParkingSystemSubnet
access-list WAN_OLD_access_in extended permit ip any object ParkingSystemSubnet
access-list WAN_OLD_access_in extended permit ip any any inactive
access-list WAN_OLD_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ServerTV 1500
mtu GuestWiFi 1500
mtu ParkingInterface 1500
mtu WAN_OLD 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any GuestWiFi
icmp permit any ParkingInterface
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_POOL_10.20.30.0 VPN_POOL_10.20.30.0 no-proxy-arp route-lookup
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771_U
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100_U
!
object network GuestWiFi_NAT_OLD
nat (GuestWiFi,WAN_OLD) dynamic interface dns
object network inside_NAT_OLD
nat (inside,WAN_OLD) dynamic interface dns
object network ServerServer
nat (ServerTV,outside) static interface
object network ParkingInterfaceOLD_WAN
nat (ParkingInterface,WAN_OLD) dynamic interface dns
object network ServerTV2
nat (ServerTV,outside) static WAN2
access-group ServerTVAccessList in interface outside
access-group inside_access_in in interface inside
access-group ServerTV_access_in in interface ServerTV
access-group GuestWiFi_access_in in interface GuestWiFi
access-group ParkingInterface_access_in in interface ParkingInterface
access-group WAN_OLD_access_in in interface WAN_OLD
route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.64.0 255.255.248.0 GuestWiFi
http 10.20.30.0 255.255.255.0 GuestWiFi
http 172.16.17.0 255.255.255.0 ParkingInterface
http 192.168.96.0 255.255.255.0 ServerTV
http xxx.xxx.xxx.72 255.255.255.248 outside
http xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map WAN_OLD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_OLD_map interface WAN_OLD
crypto map TestLab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=HC-ClientASA
keypair HC_Client_Odense
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 50de3358
30820551 30820339 a0030201 02020450 de335830 0d06092a 864886f7 0d010105
0a517ac1 5d1eb7a3 1dca77f7 054b0615 7a85096b 87b3d32f b86e61b5 78fa6364
08d932b7 2e73d1a9 1acdef89 a5cf7dd2 a9dfa34c b5086cd2 6f954b83 680c5fcc
dee06f08 7030ff8d 729458e4 59780d58 ae72b300 4a0b2e7a ac608cb7 cd5ce92a
d09a07cb ea159809 1dc1b666 a1401ea3 bb7e9203 f905c696 aee9d2f6 93978e82
4b6ec24e ab695964 64fd929c d0cfc46b dea848e5 d3cf56cb 08a2991f 7ddee7ef
5ed8869f 0be2a5ed dba14771 0d23ae29 6ebf7640 381106ff 99c1d56a 7d5ec7ad
cd432009 2ef4248e aa9b42b8 a71ead22 14b38dcb e343c945 064796d3 1e337d75
baccf54c 209b67f8 0e4e8fa8 cf7ce3f1 99cddf3b 18eced0d 770448aa 1b37d65a
09574ee9 d5985c00 bdb804c3 9c0e069e 9eaa50e3 b4694174 e17251b4 fc0bc169
845b7639 ebc47f37 894b5a5f d5662fa9 40b9898c 86a44b6b 805cb0ba 8607499d
2c330359 c0b30ef1 046b01b2 bad5d514 efea8647 55db6819 4eaf2da2 59e219b8
e8ff9053 f4e630b8 34f631c7 c49062a5 a0239c9a ef
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable WAN_OLD client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh xxx.xxx.xxx.72 255.255.255.248 outside
ssh 192.168.1.0 255.255.255.0 GuestWiFi
ssh 172.16.64.0 255.255.248.0 GuestWiFi
ssh 10.20.30.0 255.255.255.0 GuestWiFi
ssh xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access GuestWiFi

dhcp-client client-id interface outside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 8.8.8.8 208.67.222.222 interface inside
dhcpd enable inside
!
dhcpd address 192.168.96.3-192.168.96.254 ServerTV
dhcpd dns 8.8.8.8 8.8.4.4 interface ServerTV
!
dhcpd address 172.16.64.2-172.16.64.250 GuestWiFi
dhcpd dns 8.8.8.8 208.67.222.222 interface GuestWiFi
dhcpd enable GuestWiFi
!
dhcpd address 172.16.17.33-172.16.17.250 ParkingInterface
dhcpd dns 8.8.8.8 8.8.8.8 interface ParkingInterface
dhcpd enable ParkingInterface
!
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 ServerTV
ssl trust-point ASDM_TrustPoint0 GuestWiFi
ssl trust-point ASDM_TrustPoint0 ParkingInterface
ssl trust-point ASDM_TrustPoint0 WAN_OLD
webvpn
enable outside
enable WAN_OLD
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles Test_GuestWiFi_client_profile disk0:/Test_GuestWiFi_client_profile.xml
anyconnect profiles VPN_Test_client_profile disk0:/VPN_Test_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_VPN_Test internal
group-policy GroupPolicy_VPN_Test attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_Guest
default-domain none
webvpn
anyconnect profiles value VPN_Test_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN_Test type remote-access
tunnel-group VPN_Test general-attributes
address-pool Test_DHCP_VPN
default-group-policy GroupPolicy_VPN_Test
tunnel-group VPN_Test webvpn-attributes
group-alias VPN_Test enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:14a2b233fa9e205b5a530e7925ef77ac
: end

Hello, try to use packet

Boris Uskov — Thu, 01 Dec 2016 08:38:54 GMT

Hello, try to use packet-tracer utility to verify packet flow. It will show you the reason, why the traffic is droped.

For example, let's emulate http-request from 192.168.96.2 Server to google.com (IP address 74.125.232.238). To emulate this transaction issue:

packet-tracer input ServerTV tcp 192.168.96.2 56123 74.125.232.238 80

Hi Boris,

Rawit2015 — Thu, 01 Dec 2016 09:30:58 GMT

Hi Boris,

since nothing is currently connected to this server (there isn't device attached on that IP address on that port, is it possible to simulate that?).

I have set two different subnets (WAN). WAN1 for guestWiFi and default route metric 1 (dynamic NAT), WAN2 should be for TV server, and for that I have set default route of WAN2 with metric 2 (static NAT). Access lists for both networks are set to allow from inside to outside without any restrictions, so permit any any... There must be something with NAT that is blocking, as I can get access from outside to inside, but from inside to outside I cannot. Reading the configuration, I cannot find why...

Hello, if input and output

Boris Uskov — Thu, 01 Dec 2016 10:03:21 GMT

Hello, if input and output interfaces are in "UP" states, you can use packet-tracer.

As I see from the config, WAN1 is connected to WAN_OLD interface (metric 1) and WAN2 is connected to outside interface (metric 2).

route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2

Since WAN1 (WAN_OLD) interface has metric 1 as default route it will always be used for outgoing traffic (traffic, initiated from inside of ASA). So, I assume, that you miss a NAT rule for Server-subnet. For example,

object network Server-net
 subnet 192.168.96.0 255.255.255.0
 nat (ServerTV,WAN_OLD) dynamic interface

also, if you want to use ping for tesing, add icmp inspection:

policy-map global_policy
 class inspection_default
  inspect icmp

Yes, you are absolutely

Rawit2015 — Thu, 01 Dec 2016 10:20:57 GMT

Yes, you are absolutely correct. It occurred me just few minutes ago that might be the route thing. (for that reason I opened new discussion on Cisco on this link mentioning two static routes with metrics... https://supportforums.cisco.com/discussion/13175596/static-nat-internet-connectivity-issue-asa). You are correct, it will never reach outside as it doesn't have route for that interface. But will this somehow sc*** current static NAT that is set and working?

Current static NAT will be ok

Boris Uskov — Thu, 01 Dec 2016 10:37:29 GMT

Current static NAT will be ok despite routing. That is the ASA's speciality. ASA is flow-oriented gear (comparing to routers). If the session in initiated from outside (through the outside interface), ASA records both input and output interfaces. So, when return packect reach the ASA, it will look at the session records and get the output interface from there. So the return packets will be sent through outside interface (not WAN_OLD interface), despite the routing table.

Hi Boris,

Rawit2015 — Thu, 01 Dec 2016 15:23:45 GMT

Hi Boris,

I must admit that I am bit confused here. If you initiate traffic from ServerTV through WAN_OLD it has translation of xxx.xxx.xxx.xxy and it is written in header of each packet. When it gets back, it is using same IP xxx.xxx.xxx.xxy as it is initiated from, correct? So how come it can forward reply to other WAN2 xxx.xxx.xxx.xxz?

Hello, you say everything

Boris Uskov — Fri, 02 Dec 2016 06:50:16 GMT

Hello, you say everything correct 🙂

If you initiate traffic from ServerTV, the ASA will check for its connection table and will not find any establited connections, since the session is being just initialized. So the ASA will check routing table and find the output interface WAN_OLD (due to route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1). The source IP in packets will always be translated to xxx.xxx.xxx.xxy. The return packets will always have destination IP of xxx.xxx.xxx.xxy and will come back through WAN_OLD.

BUT

If you initiate traffic from somewhere in Internet to ServerTV to the public IP address xxx.xxx.xxx.xxZ, the packets will have dest. IP xxx.xxx.xxx.xxZ and will come to ASA through OUTSIDE interface (not WAN_OLD interface). So the packets will have their dest IP translated to ServetTV private IP addresses and will reach the ServerTV. The ASA will make a record in the connection table about this session. Then ServerTV will send answering packets to ASA. The ASA will check its connection table and see that the session is already established through the pair of interfaces OUTSIDE -> ServerTV. So the return packets will have to use the same pait of interfaces ServerTV -> OUTSIDE. So, the return packets will leave OUTSIDE interface of the ASA, despite the default route is configured through WAN_OLD interface with a better metric.

Hope this helps.