ASA with two ISPs

nelson-rick — Tue, 12 Mar 2019 04:24:30 GMT

I have two ISPs but I don't want to setup a backup route I want to route all my internet traffic out the secondary outside interface but without losing the first outside interface because I have all of my static IP addresses on the first outside interface. Any ideas?

Hi Nelson,Could you please

Thomas Panicker — Tue, 01 Jul 2014 06:40:48 GMT

Hi Nelson,

Could you please provide the current configuration of the ASA (especially the routes configured in ASA).

Regards,

Thomas

sh run: Saved:ASA Version 8.4

nelson-rick — Wed, 02 Jul 2014 00:00:03 GMT

sh run
: Saved
:
ASA Version 8.4(1)
!
hostname fw254
domain-name testnj.org
enable password ?? encrypted
passwd ?? encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.17.0.254 255.255.255.0
!
interface Vlan2 (T1)
nameif outside
security-level 0
ip address ??.??.??.98 255.255.255.240

interface vlan3 (CABLE MODEM)
nameif outside1
security-level 0
ip address ??.??.??.52 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!

interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name testnj.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.17.0.0_16
subnet 172.17.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.0.0_16

subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_172.17.2.0_25
subnet 172.17.2.0 255.255.255.128
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network te-test
host 172.17.12.12
object network Barracuda
host 172.17.8.17
description Barracuda Spam Appliance
object network EXCH-2010
host 172.17.8.13
description Exchange 2010 Server
object network 192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network dex_Server
host 172.17.8.14
object service RDP
service tcp destination eq 3389
object-group service testRDP tcp
port-object eq 3389
port-object eq 5389

port-object eq 6389
port-object eq 8390
port-object eq 8989
port-object eq 8990
access-list outside_1_cryptomap extended permit ip 172.17.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list testVPNGroup_splitTunnelAcl standard permit 172.17.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Barracuda eq smtp
access-list outside_access_in extended permit tcp any object Barracuda eq pop3
access-list outside_access_in extended permit tcp any object Barracuda eq ssh
access-list outside_access_in extended permit tcp any object EXCH-2010 eq https
access-list outside_access_in extended permit tcp any object EXCH-2010 eq www
access-list outside_access_in extended permit object RDP any object dex_Server
access-list outside_access_in remark test RDP ports, close 3389 soon. GTR 5/14/2011
access-list outside_access_in extended permit tcp any object te-test object-group testRDP
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit ip host ??.??.??.180 host ??.??.??.99 inactive
access-list testVPN_SplitTunACL remark test Internal Network River
access-list testVPN_SplitTunACL standard permit 172.17.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool2 172.17.2.10-172.17.2.100 mask 255.255.255.0

no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_16 NETWORK_OBJ_172.17.0.0_16 destination static NETWORK_OBJ_192.168.0.0_16 NETWORK_OBJ_192.168.0.0_16
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_16 NETWORK_OBJ_172.17.0.0_16 destination static NETWORK_OBJ_172.17.2.0_25 NETWORK_OBJ_172.17.2.0_25
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_16 NETWORK_OBJ_172.17.0.0_16 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24
!
object network obj_any
nat (inside,outside) dynamic interface
object network te-test
nat (any,any) static ??.??.??.99
object network Barracuda
nat (any,any) static ??.??.??.101
object network EXCH-2010
nat (any,any) static ??.??.??.100
object network Munidex_Server
nat (any,any) static ??.??.??.102
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ??.??.??.97 1
route outside1 0.0.0.0 0.0.0.0 ??.??.??.51 2
route inside 172.17.0.0 255.255.0.0 172.17.0.1 1
route inside 192.168.3.0 255.255.255.0 172.17.0.1 1
route inside 192.168.4.0 255.255.255.0 172.17.0.1 1

route inside 192.168.5.0 255.255.255.0 172.17.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer ??.210
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer ??.114

crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=fw254
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a487384d
    308201c3 3082012c a0030201 020204a4 87384d30 0d06092a 864886f7 0d010105
    05003026 310e300c 06035504 03130566 77323534 31143012 06092a86 4886f70d
    01090216 05667732 3534301e 170d3131 30313231 32313435 31375a17 0d323130
    31313832 31343531 375a3026 310e300c 06035504 03130566 77323534 31143012
    06092a86 4886f70d 01090216 05667732 35343081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100a5 f386e796 0cee5ca0 d90533b8 2916ef91
    222f0cc1 53d428ba f8c316e1 21d0c760 c2bc56e7 9ff3f56f dac6edf8 880f3842
    3ad84e2c 125e9e3c aef92304 f1ed4f55 9a832c78 73e60924 7af3c30d 2e73b0d4
    eba2b0b2 9c0d6438 0797dd48 1f62b04b 748ca2fe 7fde4d72 2b5ea87e ab223558
    1c4f1e9c e33ba9fd 3e5c68b5 719e6f02 03010001 300d0609 2a864886 f70d0101
    05050003 81810090 9353520d 8725797d 4fafc8dd d5f2702b 019158d6 038a23d9
    a675f0de b9c5e139 36946502 1aea3430 5c76773b 2a4e9b06 6bdb8850 e494dd79
    9b22f25e 6844557d 2b518c9f 4e42f428 90fc2d5b 9b5b0b93 fde76aad dc5cc146
    8a986e1f 115ed3ac 8e077cde 55b445f9 6b6232ab 5b28626d 8d9bd890 3e79d483
    15e28d11 d7b9e2

quit
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 30
ssh version 2
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.17.0.150-172.17.0.175 inside
dhcpd dns 4.2.2.2 4.2.2.1 interface inside
dhcpd domain BoE-test.local interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 17.254.0.27 source outside prefer
webvpn

group-policy testVPNGroupPolicy internal
group-policy testVPNGroupPolicy attributes
dns-server value 172.17.8.10 172.17.8.11
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testVPN_SplitTunACL
group-policy testVPNGroup internal
group-policy testVPNGroup attributes
wins-server value 4.2.2.1
dns-server value 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testVPNGroup_splitTunnelAcl
default-domain value test.com
username edgefd password f8.apWxtIP/hKDsD encrypted
username edgefd attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username edgevpnuser3 password ?? encrypted privilege 0
username edgevpnuser3 attributes
service-type remote-access
username edgevpnuser2 password ?? encrypted privilege 0
username edgevpnuser2 attributes
vpn-group-policy testVPNGroupPolicy

service-type remote-access
username vpnuser1 password ?? encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username MikeS password ?? encrypted
username MikeS attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username mikeb password ?? encrypted
username mikeb attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username gregf password ?? encrypted
username gregf attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username support password ?? encrypted
username support attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username testSupport password ??V encrypted privilege 0
username testSupport attributes
vpn-group-policy testVPNGroup

username 3c password ?? encrypted privilege 15
username VOIPAdmin password ?? encrypted
username VOIPAdmin attributes
vpn-group-policy testVPNGroup
service-type remote-access
username tomq password 8w.fOfnulq35.YH6 encrypted
username tomq attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
username thomasj password ?? encrypted
username thomasj attributes
vpn-group-policy testVPNGroupPolicy
service-type remote-access
tunnel-group 67.154.126.210 type ipsec-l2l
tunnel-group 67.154.126.210 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group testVPNGroup type remote-access
tunnel-group testVPNGroup general-attributes
address-pool ippool2
default-group-policy testVPNGroup
tunnel-group testVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ??.??.??.114 type ipsec-l2l
tunnel-group ??.??.??.114 ipsec-attributes

ikev1 pre-shared-key *****
tunnel-group testTunnelGroup type remote-access
tunnel-group testTunnelGroup general-attributes
address-pool ippool2
authorization-server-group LOCAL
default-group-policy testVPNGroupPolicy
tunnel-group testTunnelGroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map global
class-map inspection-default
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp

inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:db60cb0da92371c17771b2fb8f576f18
: end

fw254#

This solution is not

Marius Gunnerud — Tue, 09 Sep 2014 09:32:42 GMT

This solution is not recommended but it is a way to get to the solution you want. Keep in mind that by doing the following you will be creating a security risk.

You can configure TCP bypass on the ASA. This will allow the ASA to perform asynchronous routing so that you can receive traffic on interface "outside" and then route the return traffic through "outside1". TCP bypass tells the ASA to ignor the connection state of packets allowing asynchronous routing. Please refer to the following link for more information and how to configure TCP bypass:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Please remember to select a correct answer and rate helpful posts

topic This solution is not in Network Security

ASA with two ISPs

Hi Nelson,Could you please

sh run: Saved:ASA Version 8.4

This solution is not