05-30-2012 05:41 AM - edited 03-11-2019 04:13 PM
Hi all,
I am having an issue when implementing an additional internet connection on our ASA 5510.
The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.
When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 8.8.8.8, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.
Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so.
Below is my (truncated) config, any thoughts?
Password: **********
ASA-NCA-SVRRM-5510# sho run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA-NCA-SVRRM-5510
domain-name xxx.corp
enable password xxxxx encrypted
passwd xxxxx encrypted
names
name 10.20.1.23 NCASK333
name 10.20.1.40 Barracuda
!
interface Ethernet0/0
nameif ATTOutside
security-level 0
ip address 12.49.251.3 255.255.255.248
!
interface Ethernet0/1
description DMZ
nameif DMZ
security-level 20
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/2
description 20 MB DIA
speed 100
duplex full
nameif TWCOutside
security-level 0
ip address 98.103.148.146 255.255.255.240
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 10.20.1.249 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address dhcp setroute
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup ATTOutside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.20.1.48
name-server 66.73.20.40
name-server 206.141.193.55
domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.192.0.0
subnet 10.192.0.0 255.255.0.0
object network mail.xxx.com
host 10.20.1.40
object network NCASK333
host 10.20.1.23
object network obj-10.20.1.218
host 10.20.1.218
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.192.0.0_16
subnet 10.192.0.0 255.255.0.0
object network NETWORK_OBJ_10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network Canton
host 10.1.1.1
object network 12.49.251.5
host 12.49.251.5
object network NCASK820
host 10.20.1.61
description Exchange Server/ KMS
object service AS2
service tcp source eq 8800 destination eq 8800
object network NCADMZ02
host 172.16.10.11
object network Cloverleaf
subnet 24.140.152.0 255.255.254.0
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq domain
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp traceroute
object-group network DM_INLINE_NETWORK_1
network-object 10.1.0.0 255.255.0.0
network-object 10.20.0.0 255.255.0.0
network-object 10.22.0.0 255.255.0.0
network-object 10.23.0.0 255.255.0.0
network-object 10.24.0.0 255.255.0.0
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 8080
service-object tcp destination eq 8500
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object icmp
service-object tcp destination eq 5080
service-object object AS2
service-object tcp destination eq 8800
service-object tcp destination eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8080
port-object eq www
port-object eq https
port-object eq echo
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object icmp traceroute
object-group network DM_INLINE_NETWORK_5
network-object 172.16.10.0 255.255.255.0
network-object object NCADMZ02
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Outside_access_in extended permit tcp any object mail.xxx.com object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object-group DM_INLINE_NETWORK_5
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object NCAFTP01:80 inactive
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object NCASK333
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any 172.16.10.0 255.255.255.0
access-list global_access extended permit ip 10.20.0.0 255.255.0.0 10.192.4.0 255.255.255.0
access-list global_access extended permit ip 10.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list global_access extended permit ip any 12.49.251.0 255.255.255.248
access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.4.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 10.20.0.0 255.255.0.0 object-group DM_INLINE_TCP_3
access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 any object-group DM_INLINE_TCP_2
access-list DMZ_access_in remark Used for KMS Service
access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 object NCASK820 eq 1688
access-list DMZ_access_in extended permit tcp 172.16.10.0 255.255.255.0 10.20.0.0 255.255.0.0 eq 8500
access-list DMZ_access_in extended permit ip 10.20.0.0 255.255.0.0 any
access-list TWCOutside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any
pager lines 24
logging enable
logging asdm errors
logging host Inside 10.20.1.39 6/1470
flow-export destination Inside 10.20.1.39 2055
flow-export template timeout-rate 1
mtu ATTOutside 1500
mtu Inside 1500
mtu management 1500
mtu DMZ 1500
mtu TWCOutside 1500
no failover
arp timeout 14400
nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
!
object network mail.xxx.com
nat (Inside,ATTOutside) static 12.49.251.4
object network NCASK333
nat (Inside,ATTOutside) static 12.49.251.6
object network obj-10.20.1.218
nat (Inside,ATTOutside) static 12.49.251.2
object network obj_any
nat (Inside,ATTOutside) dynamic interface
object network NCADMZ02
nat (any,ATTOutside) static 12.49.251.5
object network Cloverleaf
nat (any,ATTOutside) dynamic interface
!
nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface destination static 12.49.251.5 12.49.251.5
access-group Outside_access_in in interface ATTOutside
access-group Inside_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
access-group TWCOutside_access_in in interface TWCOutside
access-group global_access global
route ATTOutside 0.0.0.0 0.0.0.0 12.49.251.1 10
route TWCOutside 0.0.0.0 0.0.0.0 98.103.148.145 15
route Inside 10.1.0.0 255.255.0.0 10.1.1.1 1
route Inside 10.10.0.0 255.255.0.0 10.10.1.1 1
route Inside 10.11.0.0 255.255.0.0 10.11.1.1 1
route Inside 10.12.0.0 255.255.0.0 10.12.1.1 1
route Inside 10.13.0.0 255.255.0.0 10.13.1.1 1
route Inside 10.14.0.0 255.255.0.0 10.14.1.1 1
route Inside 10.18.0.0 255.255.0.0 10.18.1.1 1
route Inside 10.19.0.0 255.255.0.0 10.19.1.1 1
route Inside 10.22.0.0 255.255.0.0 10.22.1.1 1
route Inside 10.23.0.0 255.255.0.0 10.23.1.1 1
route Inside 10.24.0.0 255.255.0.0 10.24.1.1 1
route ATTOutside 10.192.4.0 255.255.255.0 12.49.251.1 10
route ATTOutside 24.140.152.144 255.255.255.255 12.49.251.1 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
class class-default
flow-export event-type all destination 10.20.1.39
!
: end
ASA-NCA-SVRRM-5510#
05-30-2012 06:22 AM
Unfortunately you can't have 2 default gateways active at the same time on ASA firewall, hence the problem that you experience when some uses internet ISP1 and others use internet ISP2.
05-30-2012 06:22 AM
Hi Michael,
The ASA does not have the feature of PBR on it, due to which the design that you are trying to implement is not supported on it. Since there can be only one default route on the ASA, it becomes difficult to give internet access to the end users off a different link. The best I can suggest is, instead of doing this routing on the ASA, terminate the links on an upstream router where you can perform the PBR to route traffic off different interfaces. There's another workaround for it on this forum, but it is unsupported configuration although it works:
https://supportforums.cisco.com/docs/DOC-15622
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide