topic ASA 5505 Backup ISP Configuration in Network Security

ASA 5505 Backup ISP Configuration

Dustin Barnett — Mon, 11 Mar 2019 20:45:11 GMT

Hi,

I'm having problems configuring an asa 8.2(1) with a backup isp. I followed the asdm instructions in this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I have my backup interface configured as DHCP and the static routes set. Pinging the gateway and other external IP address from the backup interfaces works normally. I have also tried configuring the backup interface as a static address but got the same results.

When removing the primary wan link, all traffic stops. When I ping a external DNS, I get these errors in the log:

portmap translation creation failed for udp src inside: 192.168.13.23 dst backup:208.67.222.222_type 8, code0)

I though this type of error is related to a NAT problem, not sure where to look though.

Thanks,

Dustin

ASA 5505 Backup ISP Configuration

manish arora — Tue, 14 Jun 2011 22:34:44 GMT

Post your stanitized copy of sh run.

Manish

ASA 5505 Backup ISP Configuration

Dustin Barnett — Tue, 14 Jun 2011 22:46:25 GMT

Here is the config. There are no production systems on this network.

ASA Version 8.2(1)

hostname ciscoasa

enable password 8GfX8PPxaJVNsUkN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.13.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 96.x.x.x 255.255.255.0

interface Vlan5

nameif dmz

security-level 50

ip address 192.168.15.1 255.255.255.0

interface Vlan15

nameif backup

security-level 1

ip address dhcp

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 15

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list backup_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu backup 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (backup) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group backup_access_in in interface backup

route outside 0.0.0.0 0.0.0.0 96.x.x.x 128 track 1

route backup 0.0.0.0 0.0.0.0 192.168.50.250 150

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.13.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 96.238.212.1 interface outside

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

track 1 rtr 123 reachability

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface backup

dhcpd auto_config outside

dhcpd address 192.168.13.5-192.168.13.254 inside

dhcpd dns 208.67.222.222 interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:03b4bb72b671103e050fb463f6194e0a

: end

ASA 5505 Backup ISP Configuration

manish arora — Wed, 15 Jun 2011 00:09:20 GMT

try this :-

asa(config)#global (backup) 1 interface

Also, There is a known not fixed bug with using this that affects UDP connection , so your firewall might need "clear local" command everytime the failover occurs to clear UDP connection that were established earlier for voice packets etc . Can't recall the Bug_ID but I faced it when I configured similar stuff for a client of mine.

Manish

ASA 5505 Backup ISP Configuration

Dustin Barnett — Wed, 15 Jun 2011 00:15:25 GMT

Thanks, adding "global (backup) 1 interface" fixed the issue!