cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3676
Views
5
Helpful
2
Replies

ASA 5510 - Dual Internet Connections - Routing DMZ Traffic

mike.welker
Level 1
Level 1

Hi all,

I am having an issue when implementing an additional internet connection on our ASA 5510. 

ASA.png

The new connection is "TWCOutside".  I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection.  Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.

When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected.  Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed.  Our end users begin using the new connection for thier internet browsing.

However, our FTP server, in the DMZ, completley loses outside access.  It cannot ping to 8.8.8.8, or resolve DNS queries.  The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses.  I need it to continue to do so for the next few weeks.

Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being.  The only problem I am having is the DMZ connection.  I am currently "rolled back", so no one is using the new connection until I figure this out.  I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so.

Below is my (truncated) config, any thoughts?

Password: **********

ASA-NCA-SVRRM-5510# sho run

: Saved

:

ASA Version 8.3(1)

!

hostname ASA-NCA-SVRRM-5510

domain-name xxx.corp

enable password xxxxx encrypted

passwd xxxxx encrypted

names

name 10.20.1.23 NCASK333

name 10.20.1.40 Barracuda

!

interface Ethernet0/0

nameif ATTOutside

security-level 0

ip address 12.49.251.3 255.255.255.248

!

interface Ethernet0/1

description DMZ

nameif DMZ

security-level 20

ip address 172.16.10.1 255.255.255.0

!

interface Ethernet0/2

description 20 MB DIA

speed 100

duplex full

nameif TWCOutside

security-level 0

ip address 98.103.148.146 255.255.255.240

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 10.20.1.249 255.255.0.0

!

interface Management0/0

nameif management

security-level 100

ip address dhcp setroute

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup ATTOutside

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 10.20.1.48

name-server 66.73.20.40

name-server 206.141.193.55

domain-name xxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-10.192.0.0

subnet 10.192.0.0 255.255.0.0

object network mail.xxx.com

host 10.20.1.40

object network NCASK333

host 10.20.1.23

object network obj-10.20.1.218

host 10.20.1.218

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.192.0.0_16

subnet 10.192.0.0 255.255.0.0

object network NETWORK_OBJ_10.20.0.0_16

subnet 10.20.0.0 255.255.0.0

object network Canton

host 10.1.1.1

object network 12.49.251.5

host 12.49.251.5

object network NCASK820

host 10.20.1.61

description Exchange Server/ KMS

object service AS2

service tcp source eq 8800 destination eq 8800

object network NCADMZ02

host 172.16.10.11

object network Cloverleaf

subnet 24.140.152.0 255.255.254.0

object-group service DM_INLINE_SERVICE_1

service-object gre

service-object tcp destination eq pptp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

port-object eq domain

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp traceroute

object-group network DM_INLINE_NETWORK_1

network-object 10.1.0.0 255.255.0.0

network-object 10.20.0.0 255.255.0.0

network-object 10.22.0.0 255.255.0.0

network-object 10.23.0.0 255.255.0.0

network-object 10.24.0.0 255.255.0.0

object-group service DM_INLINE_SERVICE_3

service-object tcp destination eq 8080

service-object tcp destination eq 8500

service-object tcp destination eq domain

service-object tcp destination eq ftp

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

service-object icmp

service-object tcp destination eq 5080

service-object object AS2

service-object tcp destination eq 8800

service-object tcp destination eq ftp-data

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq 8080

port-object eq www

port-object eq https

port-object eq echo

object-group service DM_INLINE_SERVICE_4

service-object icmp

service-object icmp traceroute

object-group network DM_INLINE_NETWORK_5

network-object 172.16.10.0 255.255.255.0

network-object object NCADMZ02

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

access-list Outside_access_in extended permit tcp any object mail.xxx.com object-group DM_INLINE_TCP_1

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object-group DM_INLINE_NETWORK_5

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object NCAFTP01:80 inactive

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object NCASK333

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended permit icmp any any

access-list Inside_access_in extended permit ip any 172.16.10.0 255.255.255.0

access-list global_access extended permit ip 10.20.0.0 255.255.0.0 10.192.4.0 255.255.255.0

access-list global_access extended permit ip 10.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0

access-list global_access extended permit ip any 12.49.251.0 255.255.255.248

access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.4.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 10.20.0.0 255.255.0.0 object-group DM_INLINE_TCP_3

access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 any object-group DM_INLINE_TCP_2

access-list DMZ_access_in remark Used for KMS Service

access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 object NCASK820 eq 1688

access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 10.20.0.0 255.255.0.0 eq 8500

access-list DMZ_access_in extended permit ip 10.20.0.0 255.255.0.0 any

access-list TWCOutside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any

pager lines 24

logging enable

logging asdm errors

logging host Inside 10.20.1.39 6/1470

flow-export destination Inside 10.20.1.39 2055

flow-export template timeout-rate 1

mtu ATTOutside 1500

mtu Inside 1500

mtu management 1500

mtu DMZ 1500

mtu TWCOutside 1500

no failover

arp timeout 14400

nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0

nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

!

object network mail.xxx.com

nat (Inside,ATTOutside) static 12.49.251.4

object network NCASK333

nat (Inside,ATTOutside) static 12.49.251.6

object network obj-10.20.1.218

nat (Inside,ATTOutside) static 12.49.251.2

object network obj_any

nat (Inside,ATTOutside) dynamic interface

object network NCADMZ02

nat (any,ATTOutside) static 12.49.251.5

object network Cloverleaf

nat (any,ATTOutside) dynamic interface

!

nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface destination static 12.49.251.5 12.49.251.5

access-group Outside_access_in in interface ATTOutside

access-group Inside_access_in in interface Inside

access-group DMZ_access_in in interface DMZ

access-group TWCOutside_access_in in interface TWCOutside

access-group global_access global

route ATTOutside 0.0.0.0 0.0.0.0 12.49.251.1 10

route TWCOutside 0.0.0.0 0.0.0.0 98.103.148.145 15

route Inside 10.1.0.0 255.255.0.0 10.1.1.1 1

route Inside 10.10.0.0 255.255.0.0 10.10.1.1 1

route Inside 10.11.0.0 255.255.0.0 10.11.1.1 1

route Inside 10.12.0.0 255.255.0.0 10.12.1.1 1

route Inside 10.13.0.0 255.255.0.0 10.13.1.1 1

route Inside 10.14.0.0 255.255.0.0 10.14.1.1 1

route Inside 10.18.0.0 255.255.0.0 10.18.1.1 1

route Inside 10.19.0.0 255.255.0.0 10.19.1.1 1

route Inside 10.22.0.0 255.255.0.0 10.22.1.1 1

route Inside 10.23.0.0 255.255.0.0 10.23.1.1 1

route Inside 10.24.0.0 255.255.0.0 10.24.1.1 1

route ATTOutside 10.192.4.0 255.255.255.0 12.49.251.1 10

route ATTOutside 24.140.152.144 255.255.255.255 12.49.251.1 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

class class-default

  flow-export event-type all destination 10.20.1.39

!

: end

ASA-NCA-SVRRM-5510#

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately you can't have 2 default gateways active at the same time on ASA firewall, hence the problem that you experience when some uses internet ISP1 and others use internet ISP2.

varrao
Level 10
Level 10

Hi Michael,

The ASA does not have the feature of PBR on it, due to which the design that you are trying to implement is not supported on it. Since there can be only one default route on the ASA, it becomes difficult to give internet access to the end users off a different link. The best I can suggest is, instead of doing this routing on the ASA, terminate the links on an upstream router where you can perform the PBR to route traffic off different interfaces. There's another workaround for it on this forum, but it is unsupported configuration although it works:

https://supportforums.cisco.com/docs/DOC-15622

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card