ASA 5505 - Setting up 2 LAN Networks and 2 WAN connections

integservices · ‎05-17-2013

I have an ASA 5505 with Security Bundle license.

I am able to create 2 LAN networks (192.168.9.0 and 172.16.9.0) Vlan1 and Vlan12 respectively. I also setup 2 outside interfaces (outside1 and outside2).

Network 1 (192.168.9.0 - VLAN1) has no issues going out via Outside1, however I can't get Network 2 (172.16.9.0 - VLAN 12) to go thru outside2.

I put in a static route (route outside 172.16.9.0 255.255.255.0 x.x.x.x), the x.x.x.x is the default gateway of my ISP.

Does anyone know how i can accomplish this?

Thanks,

RICH

Eddy Duran · ‎05-17-2013

Hello Rich,

Could you paste your configuration? The route statement that you entered is telling the ASA to send traffic for the 172 subnet using the outside 2 but the traffic coming from that new interface would still use the default gateway for the traffic going to internet, I assume that the default gateway on your asa is pointing to the outside 1

Hope this works for you.

integservices · ‎05-17-2013

That is probably what i am missing. how do i let the new interface go to the other gateway?

Here is my config.

ASA Version 8.2(5)
!
hostname JC-CHATHAM
enable password .PlakDGVFWS.y/j9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 22
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside1
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
backup interface Vlan22
nameif outside1
security-level 0
ip address 108.35.180.120 255.255.255.0
!
interface Vlan12
nameif inside2
security-level 100
ip address 172.16.9.1 255.255.255.0
!
interface Vlan22
nameif outside2
security-level 0
ip address 173.70.17.250 255.255.255.0
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside1 1500
mtu outside1 1500
mtu inside2 1500
mtu outside2 150
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (inside1) 1 0.0.0.0 0.0.0.0
route outside1 0.0.0.0 0.0.0.0 108.35.180.1 1
route outside2 0.0.0.0 0.0.0.0 173.70.17.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 108.179.13.0 255.255.255.0 outside1
http 192.168.9.0 255.255.255.0 inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside1
!
dhcpd address 192.168.9.100-192.168.9.200 inside1
dhcpd dns 68.237.161.12 8.8.8.8 interface inside1
dhcpd enable inside1
!
dhcpd address 172.16.9.100-172.16.9.150 inside2
dhcpd dns 8.8.8.8 interface inside2
dhcpd enable inside2
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9d0ae3f2211bdfec4c6228dd78d854c2

integservices · ‎05-17-2013

i also changed

route outside1 0.0.0.0 0.0.0.0 108.35.180.1 1

route outside2 0.0.0.0 0.0.0.0 173.70.17.1 2

to

route outside1 192.168.9.0 255.255.255.0 108.35.180.1 1

route outside2 176.16.9.0 255.255.255.0 173.70.17.1 2

and it didn't work

Any help is appreciated. Thanks

mvsheik123 · ‎05-17-2013

Hi,

To your initial config , try by adding nat/global for 2nd subnet. Also, I would change 1subnet nat statement to specific subnet.

Modify:

nat (inside1) 1 0.0.0.0 0.0.0.0 --> nat (inside1) 1 192.168.9.0 255.255.255.0

add:

global (outside2) 2 interface

nat (inside2) 2 176.16.9.0 255.255.255.0

See if this works.

hth

MS

integservices · ‎05-17-2013

I think this helped a bit but I still have issues on getting to the internet via outside2.

But this is what i noticed.

if i swap the metric on the following:

route outside1 0.0.0.0 0.0.0.0 108.35.180.1 1

route outside2 0.0.0.0 0.0.0.0 173.70.17.1 2

making it route outside1 0.0.0.0 0.0.0.0 108.35.180.1 2 and route outside2 0.0.0.0 0.0.0.0 173.70.17.1 1

I can now get out from inside2 to outside2 but cannot get out from inside1 to outside1

How can i make the default gateway different for the 2 interfaces?

Eddy Duran · ‎05-17-2013

Hey Richard,

Unfortunately there is no way to specify a different gateway for those 2 interfaces. The ASA would always do a route lookup and will match the route statement with the lowest administrative distance.

Let me know if you have any doubt or question.

mvsheik123 · ‎05-17-2013

Hi Richard,

What Eddy mention was correct. Somehow I misread you initial posting. You can use two default routed with same metric as long as they are on same outside interface but not 2 diff subnets thru two diff outside interface. The second internet can be used as backup with ipsla config. Check below link..

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/configuration/guide/ip.html

hth

MS