topic Re: ASA 5505 in Network Security

ASA 5505

Amardeep Kumar — Mon, 11 Mar 2019 18:17:59 GMT

I an using ASA 5505 in my network. I have two ISP . I want to configure Daul ISP. So that when Primary goes down, Backup ISP can handle down time.

But after whole Configration , when I put my primary ISP Down, Backup ISP external IP start pinging outside and i wont be able to run internet in internel netowork.

Can some one help.

Thanks

Amardeep Rana

Re: ASA 5505

rahgovin — Thu, 29 Jul 2010 11:45:28 GMT

Have you configured tracking for the ISP failover? If i understand your problem right, you have no internet access from internal once primary goes down right? What is the nat configuration u have?

Re: ASA 5505

Amardeep Kumar — Thu, 29 Jul 2010 11:57:17 GMT

HI Rahgovin,

You are right , I have no access on internet internally. here is waht I did

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary-isp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backup-isp
ASA5505(config-if)# security-level 1
ASA5505(config-if)# ip address Backup Isp 2 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 Primary ISP Exteral IP 1
ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 Backup Isp 2

Check also

nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 2

Thanks

Amardeep Rana

Re: ASA 5505

rahgovin — Thu, 29 Jul 2010 12:11:16 GMT

So when u failover are u able to ping 4.2.2.2 from the firewall itself?

And do u have global commands for both primary and backup interfaces?

If both the answers are yes, try a packet tracer for an icmp packet from inside host to 4.2.2.2 and see where it fails when u are on your backup isp.

Re: ASA 5505

Jitendriya Athavale — Thu, 29 Jul 2010 12:14:44 GMT

can you please paste the entire config of the nat commands, looks like a nat issue

if its not an issue please post the entire config by making the public ip's

else plz paste the following

show run nat

show run global

show run static

configuration part of sla monitoring (you can pull out lines from your config)

you can refer to this doc for configuration in case you have doubt whether you have configured it properly

http://www.cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Re: ASA 5505

Amardeep Kumar — Thu, 29 Jul 2010 20:49:49 GMT

Here is details of commnds.

ciscoasa(config)# show run nat

nat (inside) 0 access-list 101

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

ciscoasa(config)# show run

ciscoasa(config)# show run globa

ciscoasa(config)# show run global

global (outside) 1 interface

ciscoasa(config)# sh run stati

ciscoasa(config)# sh run static

static (inside,outside) xxx.xxx.xxx.xxx.168.12.56 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.77 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.38 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.28 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.30 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.19 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx mailserver netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.62 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.65 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.59 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 92.168.12.100 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.41 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255

ciscoasa(config)#

thanks

Amardeep Rana

Re: ASA 5505

Amardeep Kumar — Fri, 30 Jul 2010 08:39:23 GMT

HI Rahgovin,

Thanks I am able to run internet , I have to make setting as my configratuion and I am up after that. Thank You for your hints this worked for me......

Thank You everyone.

Thanks

Amardeep Rana