08-05-2020 09:24 AM
Howdy all,
Just wondering if someone can assist;
We have an ASA 5506-X that is working fine with our existing ISP.
We just had Fibre installed and I am setting it up as redundant.
I've created the Interface, Static Route and NAT settings however I cant get the Fibre to go live for our systems.
I am pretty sure that it is the NAT settings that are not working.
Here is what I've got;
I am NATing the Fibre (Telus) to the existing inside outside, I havent setup SLA as yet as I just want to see it work (The Telus connection) adding the ICMP echo is easy enough, I just want to get it working first.
Can anyone shed a little light on what is missing?
Thank you to any takers!
Sozo
Solved! Go to Solution.
08-06-2020 12:28 PM
Hello,
for the NAT failover to work, add the lines marked in bold. Still missing is the VPN tunnel failover, I need to research this a bit...
ASA Version 9.14(1)
!
terminal width 350
hostname DSGASA
domain-name dsgauto.local
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool VPNPool 10.27.102.1-10.27.102.255 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 184.67.21.90 255.255.255.252
!
interface GigabitEthernet1/2
nameif Inside
security-level 100
ip address 10.27.100.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.27.50.1 255.255.255.240
!
interface GigabitEthernet1/4
nameif Telus
security-level 0
ip address 64.114.75.145 255.255.255.248
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-1-lfbff-k8.SPA
boot system disk0:/
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.27.100.4 Inside
name-server 64.59.144.16 Outside
domain-name dsgauto.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DSG-Inside
subnet 10.27.100.0 255.255.255.0
--> object network DSG-Inside_Backup
--> subnet 10.27.100.0 255.255.255.0
object network VPNPool
subnet 10.27.102.0 255.255.255.0
object network Inside-DMZ
subnet 10.27.50.0 255.255.255.240
object network DMZ-Outside
subnet 10.27.50.0 255.255.255.0
--> object network DMZ-Outside_Backup
--> subnet 10.27.50.0 255.255.255.0
object network NVR
host 10.27.50.2
object service NVR-TCP
service tcp destination eq 37777
object service NVR-RTSP
service tcp destination eq rtsp
object service NVR-TCP-SOURCE
service tcp source eq 37777
object service NVR-RTSP-SOURCE
service tcp source eq rtsp
object network Telus-Inside
host 10.27.100.0
access-list SplitTunnelACL standard permit 10.27.100.0 255.255.255.0
access-list SplitTunnelACL standard permit 10.27.50.0 255.255.255.240
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list VPN extended permit ip any object VPNPool
access-list VPN extended permit ip object VPNPool any
access-list Outside_access_in extended permit object NVR-RTSP any object NVR log
access-list Outside_access_in extended permit object NVR-TCP any object NVR log
pager lines 24
logging enable
logging timestamp
no logging hide username
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Telus 1500
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7141-48.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,Outside) source static DSG-Inside DSG-Inside destination static VPNPool VPNPool
nat (DMZ,Outside) source static Inside-DMZ Inside-DMZ destination static VPNPool VPNPool
nat (DMZ,Outside) source static NVR interface service NVR-RTSP-SOURCE NVR-RTSP-SOURCE
nat (DMZ,Outside) source static NVR interface service NVR-TCP-SOURCE NVR-TCP-SOURCE
nat (Outside,Outside) source dynamic VPNPool interface
!
object network DSG-Inside
nat (Inside,Outside) dynamic interface
--> object network DSG-Inside_Backup
--> nat (Inside,Telus) dynamic interface
object network Inside-DMZ
nat (Inside,DMZ) dynamic interface
object network DMZ-Outside
nat (DMZ,Outside) dynamic interface
--> object network DMZ-Outside_Backup
--> nat (DMZ,Telus) dynamic interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 184.67.21.89 1 track 1
route Telus 0.0.0.0 0.0.0.0 64.114.75.144 50
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map VPN_Access
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=DSG Groups,DC=dsgauto,DC=local" VPN_Admin
map-value memberOf "CN=VPN_User,OU=DSG Groups,DC=dsgauto,DC=local" VPN_User
aaa-server DSG_LDAP protocol ldap
aaa-server DSG_LDAP (Inside) host 10.27.100.4
ldap-base-dn DC=dsgauto,DC=local
ldap-group-base-dn OU=DSG Users,DC=dsgauto,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn CN=DSG_SA,CN=Users,DC=dsgauto,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
http server enable
http server idle-timeout 10
http 10.27.100.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint dsgasa
enrollment terminal
subject-name CN=DSGASA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint vpn_dsgauto_ca
enrollment terminal
crl configure
crypto ca trustpoint vpn.dsgauto.ca
enrollment terminal
no accept-subordinates
no id-cert-issuer
crl configure
no protocol http
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_VPN_SSL
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpool policy
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 10.27.100.0 255.255.255.0 Inside
console timeout 0
management-access Inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 50
vpnclient mode client-mode
dhcpd dns 10.27.100.4 64.59.144.90
dhcpd wins 10.27.100.4
dhcpd ping_timeout 200
dhcpd domain dsgauto.local
dhcpd option 3 ip 10.27.100.1
!
dhcpd address 10.27.100.100-10.27.100.254 Inside
dhcpd dns 10.27.100.4 64.59.144.16 interface Inside
dhcpd wins 10.27.100.4 interface Inside
dhcpd lease 86400 interface Inside
dhcpd domain dsgauto.local interface Inside
dhcpd update dns override interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
enable Inside
enable DMZ
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.00086-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.9.00086-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect profiles DSGAutoVPN disk0:/dsgautovpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 0
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client
default-domain value dsgauto.local
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
dns-server value 10.27.100.4
group-policy VPN_Admin internal
group-policy VPN_Admin attributes
dns-server value 10.27.100.4 64.59.144.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value dsgauto.local
group-policy VPN_User internal
group-policy VPN_User attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value dsgauto.local
dynamic-access-policy-record DfltAccessPolicy
username brent password ***** pbkdf2 privilege 15
username dileep password ***** pbkdf2 privilege 15
username dileep attributes
service-type admin
tunnel-group VPN_Admin type remote-access
tunnel-group VPN_Admin general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_Admin
tunnel-group VPN_Admin webvpn-attributes
group-alias VPN_Admin enable
group-url https://vpn.dsgauto.ca/vpn_admin enable
tunnel-group VPN_User type remote-access
tunnel-group VPN_User general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_User
tunnel-group VPN_User webvpn-attributes
group-alias VPN_User enable
group-url https://vpn.dsgauto.ca/vpn_user enable
!
class-map inspection_default
match default-inspection-traffic
class-map firepower_class_map
match any
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect snmp
class firepower_class_map
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fa7436dd98f6127da68dc073da799dc
: end
08-06-2020 12:51 PM
Hello,
I added the lines (I think) you need for the Anyconnect VPN failover:
ASA Version 9.14(1)
!
terminal width 350
hostname DSGASA
domain-name dsgauto.local
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool VPNPool 10.27.102.1-10.27.102.255 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 184.67.21.90 255.255.255.252
!
interface GigabitEthernet1/2
nameif Inside
security-level 100
ip address 10.27.100.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.27.50.1 255.255.255.240
!
interface GigabitEthernet1/4
nameif Telus
security-level 0
ip address 64.114.75.145 255.255.255.248
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-1-lfbff-k8.SPA
boot system disk0:/
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.27.100.4 Inside
name-server 64.59.144.16 Outside
domain-name dsgauto.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DSG-Inside
subnet 10.27.100.0 255.255.255.0
--> object network DSG-Inside_Backup
--> subnet 10.27.100.0 255.255.255.0
object network VPNPool
subnet 10.27.102.0 255.255.255.0
object network Inside-DMZ
subnet 10.27.50.0 255.255.255.240
object network DMZ-Outside
subnet 10.27.50.0 255.255.255.0
--> object network DMZ-OutsideBackup
--> subnet 10.27.50.0 255.255.255.0
object network NVR
host 10.27.50.2
object service NVR-TCP
service tcp destination eq 37777
object service NVR-RTSP
service tcp destination eq rtsp
object service NVR-TCP-SOURCE
service tcp source eq 37777
object service NVR-RTSP-SOURCE
service tcp source eq rtsp
object network Telus-Inside
host 10.27.100.0
access-list SplitTunnelACL standard permit 10.27.100.0 255.255.255.0
access-list SplitTunnelACL standard permit 10.27.50.0 255.255.255.240
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list VPN extended permit ip any object VPNPool
access-list VPN extended permit ip object VPNPool any
access-list Outside_access_in extended permit object NVR-RTSP any object NVR log
access-list Outside_access_in extended permit object NVR-TCP any object NVR log
pager lines 24
logging enable
logging timestamp
no logging hide username
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Telus 1500
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7141-48.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,Outside) source static DSG-Inside DSG-Inside destination static VPNPool VPNPool
nat (DMZ,Outside) source static Inside-DMZ Inside-DMZ destination static VPNPool VPNPool
nat (DMZ,Outside) source static NVR interface service NVR-RTSP-SOURCE NVR-RTSP-SOURCE
nat (DMZ,Outside) source static NVR interface service NVR-TCP-SOURCE NVR-TCP-SOURCE
nat (Outside,Outside) source dynamic VPNPool interface
--> nat (Inside,Telus) source static DSG-Inside DSG-Inside destination static VPNPool VPNPool
--> nat (DMZ,Telus) source static Inside-DMZ Inside-DMZ destination static VPNPool VPNPool
--> nat (DMZ,Telus) source static NVR interface service NVR-RTSP-SOURCE NVR-RTSP-SOURCE
--> nat (DMZ,Telus) source static NVR interface service NVR-TCP-SOURCE NVR-TCP-SOURCE
--> nat (Telus,Telus) source dynamic VPNPool interface
!
object network DSG-Inside
nat (Inside,Outside) dynamic interface
--> object network DSG-Inside_Backup
--> nat (Inside,Telus) dynamic interface
object network Inside-DMZ
nat (Inside,DMZ) dynamic interface
object network DMZ-Outside
nat (DMZ,Outside) dynamic interface
--> object network DMZ-Outside_Backup
--> nat (DMZ,Telus) dynamic interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 184.67.21.89 1 track 1
route Telus 0.0.0.0 0.0.0.0 64.114.75.144 50
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map VPN_Access
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=DSG Groups,DC=dsgauto,DC=local" VPN_Admin
map-value memberOf "CN=VPN_User,OU=DSG Groups,DC=dsgauto,DC=local" VPN_User
aaa-server DSG_LDAP protocol ldap
aaa-server DSG_LDAP (Inside) host 10.27.100.4
ldap-base-dn DC=dsgauto,DC=local
ldap-group-base-dn OU=DSG Users,DC=dsgauto,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn CN=DSG_SA,CN=Users,DC=dsgauto,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
http server enable
http server idle-timeout 10
http 10.27.100.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint dsgasa
enrollment terminal
subject-name CN=DSGASA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint vpn_dsgauto_ca
enrollment terminal
crl configure
crypto ca trustpoint vpn.dsgauto.ca
enrollment terminal
no accept-subordinates
no id-cert-issuer
crl configure
no protocol http
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_VPN_SSL
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpool policy
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 10.27.100.0 255.255.255.0 Inside
console timeout 0
management-access Inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 50
vpnclient mode client-mode
dhcpd dns 10.27.100.4 64.59.144.90
dhcpd wins 10.27.100.4
dhcpd ping_timeout 200
dhcpd domain dsgauto.local
dhcpd option 3 ip 10.27.100.1
!
dhcpd address 10.27.100.100-10.27.100.254 Inside
dhcpd dns 10.27.100.4 64.59.144.16 interface Inside
dhcpd wins 10.27.100.4 interface Inside
dhcpd lease 86400 interface Inside
dhcpd domain dsgauto.local interface Inside
dhcpd update dns override interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
--> enable Telus
enable Inside
enable DMZ
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.00086-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.9.00086-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect profiles DSGAutoVPN disk0:/dsgautovpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 0
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client
default-domain value dsgauto.local
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
dns-server value 10.27.100.4
group-policy VPN_Admin internal
group-policy VPN_Admin attributes
dns-server value 10.27.100.4 64.59.144.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value dsgauto.local
group-policy VPN_User internal
group-policy VPN_User attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value dsgauto.local
dynamic-access-policy-record DfltAccessPolicy
username brent password ***** pbkdf2 privilege 15
username dileep password ***** pbkdf2 privilege 15
username dileep attributes
service-type admin
tunnel-group VPN_Admin type remote-access
tunnel-group VPN_Admin general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_Admin
tunnel-group VPN_Admin webvpn-attributes
group-alias VPN_Admin enable
group-url https://vpn.dsgauto.ca/vpn_admin enable
tunnel-group VPN_User type remote-access
tunnel-group VPN_User general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_User
tunnel-group VPN_User webvpn-attributes
group-alias VPN_User enable
group-url https://vpn.dsgauto.ca/vpn_user enable
!
class-map inspection_default
match default-inspection-traffic
class-map firepower_class_map
match any
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect snmp
class firepower_class_map
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fa7436dd98f6127da68dc073da799dc
: end
08-05-2020 09:43 AM
https://community.cisco.com/t5/security-documents/dual-isp-implementation-on-asa/ta-p/3144475
M.
08-05-2020 09:51 AM
Hi Marce1000
Thank you for the reply,
I do have that info;
"There is a concept of ISP failback in which all traffic goes out using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2. You can configure the same using the following link:
It just wasn't working, though I had not setup tracking thinking the ASA would route automatically if the primary was unplugged.
I must wait until after EOD to test again, I will update.
Thank you!
08-05-2020 07:40 PM
Well adding the tracker did not cause the new ISP to step in and give us a pipe.
I think it is the NAT settings, does anyone have any idea what I may be missing?
Thank you for any help!
Brent
08-06-2020 01:54 AM
Hello,
looking at the screenshots, it appears that you have two default routes. In order to get NAT and the outside routing going, all you need is the two lines below:
Do you have access to the command line ? It is easier to see what you got; make sure the two lines below are in there, and delete all other routes and NAT statements...
nat (any,Telus) after-auto source dynamic any interface
route Telus 0.0.0.0 0.0.0.0 64.114.75.144
08-06-2020 08:56 AM - edited 08-06-2020 09:02 AM
Hi Georg!
Thank you for getting back to me!
I have removed the NAT settings that I created for the secondary (new) ISP, only the existing rules remain for the existing ISP.
I am PMing you with the config, etc.
Thank you for the assist!!
Brent
08-06-2020 09:03 AM
Would you post the output of show running-config rather than of show config?
08-06-2020 09:31 AM - edited 08-06-2020 10:46 AM
Hi Richard,
Thank you again for your response!
Here is my config, I have removed my NAT settings, leaving only the existing ones for the current ISP.
Thank you very much!!
I have used SonicWall before, it is a far simpler interface than the ASA! :)
Thanks again, I have to get this Dual ISP up and running, I've already passed my given deadline :(
08-06-2020 12:28 PM
Hello,
for the NAT failover to work, add the lines marked in bold. Still missing is the VPN tunnel failover, I need to research this a bit...
ASA Version 9.14(1)
!
terminal width 350
hostname DSGASA
domain-name dsgauto.local
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool VPNPool 10.27.102.1-10.27.102.255 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 184.67.21.90 255.255.255.252
!
interface GigabitEthernet1/2
nameif Inside
security-level 100
ip address 10.27.100.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.27.50.1 255.255.255.240
!
interface GigabitEthernet1/4
nameif Telus
security-level 0
ip address 64.114.75.145 255.255.255.248
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-1-lfbff-k8.SPA
boot system disk0:/
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.27.100.4 Inside
name-server 64.59.144.16 Outside
domain-name dsgauto.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DSG-Inside
subnet 10.27.100.0 255.255.255.0
--> object network DSG-Inside_Backup
--> subnet 10.27.100.0 255.255.255.0
object network VPNPool
subnet 10.27.102.0 255.255.255.0
object network Inside-DMZ
subnet 10.27.50.0 255.255.255.240
object network DMZ-Outside
subnet 10.27.50.0 255.255.255.0
--> object network DMZ-Outside_Backup
--> subnet 10.27.50.0 255.255.255.0
object network NVR
host 10.27.50.2
object service NVR-TCP
service tcp destination eq 37777
object service NVR-RTSP
service tcp destination eq rtsp
object service NVR-TCP-SOURCE
service tcp source eq 37777
object service NVR-RTSP-SOURCE
service tcp source eq rtsp
object network Telus-Inside
host 10.27.100.0
access-list SplitTunnelACL standard permit 10.27.100.0 255.255.255.0
access-list SplitTunnelACL standard permit 10.27.50.0 255.255.255.240
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list VPN extended permit ip any object VPNPool
access-list VPN extended permit ip object VPNPool any
access-list Outside_access_in extended permit object NVR-RTSP any object NVR log
access-list Outside_access_in extended permit object NVR-TCP any object NVR log
pager lines 24
logging enable
logging timestamp
no logging hide username
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Telus 1500
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7141-48.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,Outside) source static DSG-Inside DSG-Inside destination static VPNPool VPNPool
nat (DMZ,Outside) source static Inside-DMZ Inside-DMZ destination static VPNPool VPNPool
nat (DMZ,Outside) source static NVR interface service NVR-RTSP-SOURCE NVR-RTSP-SOURCE
nat (DMZ,Outside) source static NVR interface service NVR-TCP-SOURCE NVR-TCP-SOURCE
nat (Outside,Outside) source dynamic VPNPool interface
!
object network DSG-Inside
nat (Inside,Outside) dynamic interface
--> object network DSG-Inside_Backup
--> nat (Inside,Telus) dynamic interface
object network Inside-DMZ
nat (Inside,DMZ) dynamic interface
object network DMZ-Outside
nat (DMZ,Outside) dynamic interface
--> object network DMZ-Outside_Backup
--> nat (DMZ,Telus) dynamic interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 184.67.21.89 1 track 1
route Telus 0.0.0.0 0.0.0.0 64.114.75.144 50
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map VPN_Access
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=DSG Groups,DC=dsgauto,DC=local" VPN_Admin
map-value memberOf "CN=VPN_User,OU=DSG Groups,DC=dsgauto,DC=local" VPN_User
aaa-server DSG_LDAP protocol ldap
aaa-server DSG_LDAP (Inside) host 10.27.100.4
ldap-base-dn DC=dsgauto,DC=local
ldap-group-base-dn OU=DSG Users,DC=dsgauto,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn CN=DSG_SA,CN=Users,DC=dsgauto,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
http server enable
http server idle-timeout 10
http 10.27.100.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint dsgasa
enrollment terminal
subject-name CN=DSGASA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint vpn_dsgauto_ca
enrollment terminal
crl configure
crypto ca trustpoint vpn.dsgauto.ca
enrollment terminal
no accept-subordinates
no id-cert-issuer
crl configure
no protocol http
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_VPN_SSL
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpool policy
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 10.27.100.0 255.255.255.0 Inside
console timeout 0
management-access Inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 50
vpnclient mode client-mode
dhcpd dns 10.27.100.4 64.59.144.90
dhcpd wins 10.27.100.4
dhcpd ping_timeout 200
dhcpd domain dsgauto.local
dhcpd option 3 ip 10.27.100.1
!
dhcpd address 10.27.100.100-10.27.100.254 Inside
dhcpd dns 10.27.100.4 64.59.144.16 interface Inside
dhcpd wins 10.27.100.4 interface Inside
dhcpd lease 86400 interface Inside
dhcpd domain dsgauto.local interface Inside
dhcpd update dns override interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
enable Inside
enable DMZ
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.00086-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.9.00086-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect profiles DSGAutoVPN disk0:/dsgautovpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 0
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client
default-domain value dsgauto.local
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
dns-server value 10.27.100.4
group-policy VPN_Admin internal
group-policy VPN_Admin attributes
dns-server value 10.27.100.4 64.59.144.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value dsgauto.local
group-policy VPN_User internal
group-policy VPN_User attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value dsgauto.local
dynamic-access-policy-record DfltAccessPolicy
username brent password ***** pbkdf2 privilege 15
username dileep password ***** pbkdf2 privilege 15
username dileep attributes
service-type admin
tunnel-group VPN_Admin type remote-access
tunnel-group VPN_Admin general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_Admin
tunnel-group VPN_Admin webvpn-attributes
group-alias VPN_Admin enable
group-url https://vpn.dsgauto.ca/vpn_admin enable
tunnel-group VPN_User type remote-access
tunnel-group VPN_User general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_User
tunnel-group VPN_User webvpn-attributes
group-alias VPN_User enable
group-url https://vpn.dsgauto.ca/vpn_user enable
!
class-map inspection_default
match default-inspection-traffic
class-map firepower_class_map
match any
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect snmp
class firepower_class_map
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fa7436dd98f6127da68dc073da799dc
: end
08-06-2020 12:51 PM
Hello,
I added the lines (I think) you need for the Anyconnect VPN failover:
ASA Version 9.14(1)
!
terminal width 350
hostname DSGASA
domain-name dsgauto.local
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool VPNPool 10.27.102.1-10.27.102.255 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 184.67.21.90 255.255.255.252
!
interface GigabitEthernet1/2
nameif Inside
security-level 100
ip address 10.27.100.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 10.27.50.1 255.255.255.240
!
interface GigabitEthernet1/4
nameif Telus
security-level 0
ip address 64.114.75.145 255.255.255.248
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 100
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-1-lfbff-k8.SPA
boot system disk0:/
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.27.100.4 Inside
name-server 64.59.144.16 Outside
domain-name dsgauto.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DSG-Inside
subnet 10.27.100.0 255.255.255.0
--> object network DSG-Inside_Backup
--> subnet 10.27.100.0 255.255.255.0
object network VPNPool
subnet 10.27.102.0 255.255.255.0
object network Inside-DMZ
subnet 10.27.50.0 255.255.255.240
object network DMZ-Outside
subnet 10.27.50.0 255.255.255.0
--> object network DMZ-OutsideBackup
--> subnet 10.27.50.0 255.255.255.0
object network NVR
host 10.27.50.2
object service NVR-TCP
service tcp destination eq 37777
object service NVR-RTSP
service tcp destination eq rtsp
object service NVR-TCP-SOURCE
service tcp source eq 37777
object service NVR-RTSP-SOURCE
service tcp source eq rtsp
object network Telus-Inside
host 10.27.100.0
access-list SplitTunnelACL standard permit 10.27.100.0 255.255.255.0
access-list SplitTunnelACL standard permit 10.27.50.0 255.255.255.240
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list VPN extended permit ip any object VPNPool
access-list VPN extended permit ip object VPNPool any
access-list Outside_access_in extended permit object NVR-RTSP any object NVR log
access-list Outside_access_in extended permit object NVR-TCP any object NVR log
pager lines 24
logging enable
logging timestamp
no logging hide username
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Telus 1500
ip verify reverse-path interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7141-48.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,Outside) source static DSG-Inside DSG-Inside destination static VPNPool VPNPool
nat (DMZ,Outside) source static Inside-DMZ Inside-DMZ destination static VPNPool VPNPool
nat (DMZ,Outside) source static NVR interface service NVR-RTSP-SOURCE NVR-RTSP-SOURCE
nat (DMZ,Outside) source static NVR interface service NVR-TCP-SOURCE NVR-TCP-SOURCE
nat (Outside,Outside) source dynamic VPNPool interface
--> nat (Inside,Telus) source static DSG-Inside DSG-Inside destination static VPNPool VPNPool
--> nat (DMZ,Telus) source static Inside-DMZ Inside-DMZ destination static VPNPool VPNPool
--> nat (DMZ,Telus) source static NVR interface service NVR-RTSP-SOURCE NVR-RTSP-SOURCE
--> nat (DMZ,Telus) source static NVR interface service NVR-TCP-SOURCE NVR-TCP-SOURCE
--> nat (Telus,Telus) source dynamic VPNPool interface
!
object network DSG-Inside
nat (Inside,Outside) dynamic interface
--> object network DSG-Inside_Backup
--> nat (Inside,Telus) dynamic interface
object network Inside-DMZ
nat (Inside,DMZ) dynamic interface
object network DMZ-Outside
nat (DMZ,Outside) dynamic interface
--> object network DMZ-Outside_Backup
--> nat (DMZ,Telus) dynamic interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 184.67.21.89 1 track 1
route Telus 0.0.0.0 0.0.0.0 64.114.75.144 50
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map VPN_Access
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=DSG Groups,DC=dsgauto,DC=local" VPN_Admin
map-value memberOf "CN=VPN_User,OU=DSG Groups,DC=dsgauto,DC=local" VPN_User
aaa-server DSG_LDAP protocol ldap
aaa-server DSG_LDAP (Inside) host 10.27.100.4
ldap-base-dn DC=dsgauto,DC=local
ldap-group-base-dn OU=DSG Users,DC=dsgauto,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn CN=DSG_SA,CN=Users,DC=dsgauto,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history
http server enable
http server idle-timeout 10
http 10.27.100.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint dsgasa
enrollment terminal
subject-name CN=DSGASA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint vpn_dsgauto_ca
enrollment terminal
crl configure
crypto ca trustpoint vpn.dsgauto.ca
enrollment terminal
no accept-subordinates
no id-cert-issuer
crl configure
no protocol http
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_VPN_SSL
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpool policy
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 10.27.100.0 255.255.255.0 Inside
console timeout 0
management-access Inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 50
vpnclient mode client-mode
dhcpd dns 10.27.100.4 64.59.144.90
dhcpd wins 10.27.100.4
dhcpd ping_timeout 200
dhcpd domain dsgauto.local
dhcpd option 3 ip 10.27.100.1
!
dhcpd address 10.27.100.100-10.27.100.254 Inside
dhcpd dns 10.27.100.4 64.59.144.16 interface Inside
dhcpd wins 10.27.100.4 interface Inside
dhcpd lease 86400 interface Inside
dhcpd domain dsgauto.local interface Inside
dhcpd update dns override interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
--> enable Telus
enable Inside
enable DMZ
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.00086-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.9.00086-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect profiles DSGAutoVPN disk0:/dsgautovpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 0
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ssl-client
default-domain value dsgauto.local
split-tunnel-all-dns disable
group-policy DfltGrpPolicy attributes
dns-server value 10.27.100.4
group-policy VPN_Admin internal
group-policy VPN_Admin attributes
dns-server value 10.27.100.4 64.59.144.16
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value dsgauto.local
group-policy VPN_User internal
group-policy VPN_User attributes
dns-server value 10.27.100.4
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
default-domain value dsgauto.local
dynamic-access-policy-record DfltAccessPolicy
username brent password ***** pbkdf2 privilege 15
username dileep password ***** pbkdf2 privilege 15
username dileep attributes
service-type admin
tunnel-group VPN_Admin type remote-access
tunnel-group VPN_Admin general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_Admin
tunnel-group VPN_Admin webvpn-attributes
group-alias VPN_Admin enable
group-url https://vpn.dsgauto.ca/vpn_admin enable
tunnel-group VPN_User type remote-access
tunnel-group VPN_User general-attributes
address-pool VPNPool
authentication-server-group DSG_LDAP LOCAL
default-group-policy VPN_User
tunnel-group VPN_User webvpn-attributes
group-alias VPN_User enable
group-url https://vpn.dsgauto.ca/vpn_user enable
!
class-map inspection_default
match default-inspection-traffic
class-map firepower_class_map
match any
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect snmp
class firepower_class_map
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fa7436dd98f6127da68dc073da799dc
: end
08-06-2020 03:23 PM
Wow, it is a pleasure seeing you gents share knowledge.
Thank you Georg and Richard!
I am going to perform an Failover test this evening at 6pm (PDT) and I will update after that.
I cannot thank you enough!!!
Best Regards!
Brent
08-07-2020 03:02 PM
Performing test at 7pm tonight, as I was balked last night.
Update after that, thank you gents!
Brent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide