ASA 5512 -- Adding second ISP to existing config

johnstch · ‎03-20-2019

We currently have one ISP with a basic setup (inside, outside, DMZ, etc). We have a /27 setup with a few static IPs that are natted and all of the clients are dynamically natted. What we'd like to do is add a second provider for internet for the clients and continue using the first provider only for the traffic related to the static IPs (which the clients would need to access as well). So far I've tried adding the /27 from the other provider to another interface on the ASA, then allowing it the same access as the existing interface and then setting the default route to the gateway on the new interface and setting static routes for all of the existing static routes to point back to the gateway on the old interface. It would appear that this works for getting traffic out of the new ISP, but nothing works with regard with any of the existing static addresses/routes from the first ISP. It's our first time doing anything like this, so obviously there's something I'm missing or an easier way to do this. Any help would be greatly appreciated.

Thanks.

Deepak Kumar · ‎03-20-2019

Hi,

Please share your current configuration which is not working for you.

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

johnstch · ‎03-20-2019

-----------------------------------------------------

!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.x(ISP1 address) 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.240
!

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 172.16.28.1 255.255.255.0
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif outside2_test
security-level 0
ip address x.x.x.x(ISP2 address) 255.255.255.224
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!

object network obj_dmz_network
subnet 172.16.28.0 255.255.255.0
object network objN_default_network
subnet 0.0.0.0 0.0.0.0
object network objN_inside
subnet 10.0.0.0 255.0.0.0

mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu outside2_test 1500

icmp permit any outside
icmp permit any inside
icmp permit any dmz
icmp permit any outside2_test

!
object network obj_dmz_network
nat (inside,dmz) static obj_dmz_network
object network objN_inside
nat (inside,outside) dynamic interface
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (inside,outside) dynamic interface
object network obj_x
nat (inside,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (inside,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (inside,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (inside,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
object network obj_x
nat (dmz,outside) static x.x.x.x(ISP1_static)
access-group public_access in interface outside
access-group outbound_access in interface inside
access-group dmz_access in interface dmz
access-group public_access in interface outside2_test

route outside 0.0.0.0 0.0.0.0 x.x.x.x (ISP1_gateway) 1
route inside 10.0.0.0 255.0.0.0 x.x.x.x(Internal Gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route outside x.x.x.x(ISP1_static) 255.255.255.255 x.x.x.x (ISP1_gateway) 1
route inside 192.168.0.0 255.255.0.0 (Internal Gateway) 1

------------------------------------------------------------------

so above, i've kept the static routes to the defined IPs and in testing, i've changed the default route to point to the new ISP:

no route outside 0.0.0.0 0.0.0.0 (ISP1_gateway) 1
route outside2_test 0.0.0.0 0.0.0.0 (ISP2_gateway) 1
object network objN_inside
nat (inside,outside2_test) dynamic interface

I've also tried adding a second network object for inside and dynamically natting that as well:

object network objN2_inside

subnet 10.0.0.0 255.0.0.0

and then having both dynamic nat statements:

object network objN_inside
nat (inside,outside) dynamic interface

object network objN2_inside
nat (inside,outside2_test) dynamic interface

Thank you,