Dual ISP/link on ASA 5506-x

Jangchup — Sat, 22 Feb 2020 06:28:47 GMT

Hi, I am trying to configure Dual ISP feature in ASA 5506-x, like the one which is available is ASA 5505 with two different outside interfaces. e.g. outside1 and outside2

However, on ASA 5506-x every time when I configure NAT statement for the outside2 interface it overrides the previous NAT statement for the outside1. It seems on ASA 5506-x I can have only one auto NAT statement where as in ASA 5505 this was not an issue at all.

Can someone help me to figure out to achieve this on ASA 5506-x.

Thank you,

Jangchup

Re: Dual ISP/link on ASA 5506-x

Jangchup — Wed, 02 Jan 2019 15:19:17 GMT

I figured out myself! I overlooked the manual NAT configuration. I configured manual NAT for the outside2 interface and it works.

I will post my topology and configuration shortly.

Re: Dual ISP/link on ASA 5506-x

Lukaszoo — Thu, 03 Jan 2019 15:48:40 GMT

please fw/ post (securely) Im very curious. I also wonder how this may be possible in a dual ASA fail over senerio w/ 2 different ISP egress'.... anyone?

Re: Dual ISP/link on ASA 5506-x

Dmitry Golovenkin — Fri, 04 Jan 2019 09:10:56 GMT

I've got a similar setup, with 2 ISPs over PPPoE but because PPPoE is done to the same ISP, one always overwrites the other so the second router was setup as a double-NAT router instead of the modem-only mode with PPP pass-through. I then configured policy based routing to allow for certain traffic to flow over the second connection.

Re: Dual ISP/link on ASA 5506-x

Jangchup — Sat, 05 Jan 2019 23:53:00 GMT

Here I have posted the topology and configuration.

Active Firewall Configuration:

ASA/act/pri# sh running-config
ASA Version 9.6(2)
!
hostname ASA
domain-name mydomain.com
enable password PVSASRJovmamnVkD encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
interface GigabitEthernet0/1
description Link to ATT
nameif outside1
security-level 0
ip address 192.168.1.2 255.255.255.248 standby 192.168.1.3
!
interface GigabitEthernet0/2
description Link to Nitel
nameif outside2
security-level 0
ip address 172.16.1.2 255.255.255.248 standby 172.16.1.3
!
interface GigabitEthernet0/3
description STATE Failover Interface
!
interface GigabitEthernet0/4
description LAN Failover Interface
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
object network LAN
subnet 10.10.10.0 255.255.255.0
pager lines 23
mtu inside 1500
mtu outside1 1500
mtu outside2 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/4
failover link SFF GigabitEthernet0/3
failover interface ip FAILOVER 10.20.200.1 255.255.255.0 standby 10.20.200.2
failover interface ip SFF 10.20.100.1 255.255.255.0 standby 10.20.100.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside2) source dynamic LAN interface
!
object network LAN
nat (inside,outside1) dynamic interface
route outside1 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.1.1 10
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.248 outside1
http 172.16.1.0 255.255.255.248 outside2
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import

crypto ikev1 enable outside1
crypto ikev1 enable outside2
!
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 20.20.30.0 255.255.255.252 outside1
ssh 20.20.20.0 255.255.255.252 outside2
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin privilege 15
username cisco password foQlyHSFHLC0HPmR encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context state priority

ASA/act/pri#

topic Re: Dual ISP/link on ASA 5506-x in Network Security

Dual ISP/link on ASA 5506-x

Re: Dual ISP/link on ASA 5506-x

Re: Dual ISP/link on ASA 5506-x

Re: Dual ISP/link on ASA 5506-x

Re: Dual ISP/link on ASA 5506-x