Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1564
Views
0
Helpful
7
Replies

Cisco ASA 5505 with SEC Plus

Go to solution
tarmo
Level 1
Level 1

‎11-29-2010 10:32 AM - edited ‎03-11-2019 12:16 PM

Hello

we upgraded 5505 to SEC PLUS licence.

But I cannot get to work routing not to default ISP network.

we have currently

inside network 192.168.1.1/24

ISP default network nr 1 170.170.1.1/24 (default Internet connection)

ISP network nr 2 170.150.150.1/24 (only used for some services). Different ISP.

I need to route to the ISP network nr 2 some static routes like 194.145.32.1/32 etc.

I tried, but it will not route as it should, it will use ISP network nr 1 all the time.

Also I got portmap translation error.

Before we had netscreen 5GT, same setup was working there.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to tarmo

‎11-29-2010 02:17 PM

One problem is this:

global (outside) 1 interface
global (outside-2) 10 interface
nat (inside) 1 0.0.0.0 0.0.0.0

You have defined correctly a matching nat/global for outside.

But there's no matching nat for the global for outside-2

Do this:

no global (outside-2) 10 interface

global (outside-2) 1 interface

Federico.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-29-2010 10:35 AM

Hi,

The 5505 with Security-Plus allows 3 fully working layer 3 interfaces (inside,outside,DMZ)

If you use two (outside,DMZ) as ISP connections it should work.

The ASA cannot have two default gateways, but can use two interfaces with static routes.

Do you have the NAT configured correctly as well as the routing?

Federico.

0 Helpful

Go to solution
tarmo
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-29-2010 12:19 PM

Hello Federico

I need static routes (I have added them manually) for ISP network nr 2. There are some hosts where customer must have access.

I think that NAT can be issue, currently I have only NAT for default ISP network

route outside 0.0.0.0 0.0.0.0 GW-IP-OF-ISP-NR-1 1

route outside-2 10.10.10.1 255.255.255.255 GW-IP-OF-ISP-NR2 1

nat-control
global (outside) 1 interface
global (outside-2) 10 interface
nat (inside) 1 0.0.0.0 0.0.0.0

This is first time I try this setup. I same configurations where DMZ is only for wireless users, but I have not used static routes with other interface which are not default.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to tarmo

‎11-29-2010 02:17 PM

One problem is this:

global (outside) 1 interface
global (outside-2) 10 interface
nat (inside) 1 0.0.0.0 0.0.0.0

You have defined correctly a matching nat/global for outside.

But there's no matching nat for the global for outside-2

Do this:

no global (outside-2) 10 interface

global (outside-2) 1 interface

Federico.

0 Helpful

Go to solution
tarmo
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-30-2010 10:57 AM

Hello Federico

everything working fine with NAT in main office.

One last question. If I need to route one VPN network (192.168.33.1/24) to outside-2 then I must to NAT for this too?

VPN tunnel between 192.168.1.0/24 (befind Cisco ASA 5505) and 192.168.33.0/24 working (netcsreen).

That netscreen network needs access to outside-2 routed network. I tried some things with NAT, but it does not work.

Regards

Tarmo

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to tarmo

‎11-30-2010 11:27 AM

Hi Tarmo,

You require to NAT traffic when it needs to pass through the ASA if having nat-control enabled.

For VPN traffic normally you use a nat exemption rule to avoid doing NAT.

This network is a VPN network that has to pass to another interface?

Federico.

0 Helpful

Go to solution
tarmo
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-30-2010 09:59 PM

Same CISCO device

local LAN 192.168.1.0/24

outside-1 Internet

outside-2 other Public Network

Routing now form local LAN to outside-2 working fine thanks to you .

I have other network with Netscreen where local network is 192.168.33.0/24. I setup the VPN tunnel between Cisco and netscreen working fine (policy based setup in Netscreen).

Inside the VPN tunnel everything is working (can ping, access shares). But I cannot get to work traffic which should go out using outside-2 (traffic is coming from the network 192.168.33.0/24 over VPN). I can see that traffic is forward to the correct interface (outside-2), but as nat exemption rule is active then it will not work.

I need to disable nat exemption rule for traffic which will go interface outside-2 and coming form the network 192.168.33.0/24. I tried, but no luck. I have not done this kind of rule before.

Tarmo

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to tarmo

‎12-01-2010 05:53 AM

The nat exemption rule should only include 192.168.33.0/24 when coming to the internal network.
To allow the remote traffic (192.168.33.0/24) to get out outside-2, you should NAT that traffic.

nat (outside-2) 1 192.168.33.0 255.255.255.0
global (outside-2) 1 interface

Also the command to allow u-turn:
same-security-traffic permit intra-interface

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card