Solved: Re: ASA asymmetric routing dual ISP BGP RIPE addressing

mmoulson1 · ‎05-20-2020

Hi all,

Currently using an ASA pair for internet connectivity. I have 2 point to point circuits into 2 different ISP's. I have each configured on separate interfaces on the ASA. Which creates my first problem that I have multiple outside interfaces. So creating NAT rules etc I can only associate with a single interface.

The second problem is I am advertising a block of public address space to the ISP's, when I try to NAT out using one of the addresses I can see the return traffic is hitting the other interface for the other ISP and getting blocked "Inbound TCP connection denied from". I found some information on TCP state bypass but other conflicting information saying this would not fix this problem. I tried but it didn't for me.

I am wondering if there is any way to fix this on the ASA or if really I need something to sit in front of the ASA to terminate the point to point connections and do the BGP advertising to both ISP's. I can then configure a single outside interface on the ASA with my public address block. Therefore traffic would always ingress/egress the ASA via the same interface regardless of which ISP received it.

Thanks in advance.

ngkin2010 · ‎05-20-2020

Hi,

You may try this, and kindly let us know the result.

zone outside

interface Gi0/0
  nameif out1
  zone-member outside
  ip address <ISP-LINK1>

interface Gi0/1
  nameif out2
  zone-member outside
  ip address <ISP-LINK2>

nat (inside, out1) source dynamic any <PAT_RANGE>
nat (inside, out2) source dynamic any <PAT_RANGE>

Here is my test result:

ciscoasa(config)# show capture outbound

5 packets captured

 1: 15:09:37.807850      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 2: 15:09:37.809482      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 3: 15:09:37.810871      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 4: 15:09:37.812351      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 5: 15:09:37.814121      9.9.9.9 > 8.8.8.8 :   icmp: echo request
5 packets shown
ciscoasa(config)# show capture inbound

 1: 15:09:37.808429      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 2: 15:09:37.810031      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 3: 15:09:37.811405      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 4: 15:09:37.812992      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 5: 15:09:37.814777      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
5 packets shown

ciscoasa(config)#  show conn all
<...>
ICMP outside:out1(out1) 8.8.8.8:9 inside  172.16.0.2:24, idle 0:00:00, bytes 8928, flags
<...>

TCP will work as well, not need to bypass tcp.

Ref: https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-zones.html

Here is how was I simulate asymmetric routing:

router bgp 65003
  address-family ipv4 unicast
    neighbor 192.168.0.1 remote-as 65001
    neighbor 192.168.0.1 activate
    neighbor 192.168.0.1 weight 200
    neighbor 192.168.0.1 route-map AS-self out
    neighbor 192.168.0.5 remote-as 65002
    neighbor 192.168.0.5 activate
    neighbor 192.168.0.5 route-map AS-self out
    network 9.9.9.0 mask 255.255.255.0
  exit
!

View solution in original post

ngkin2010 · ‎05-20-2020

Hi,

You may try this, and kindly let us know the result.

zone outside

interface Gi0/0
  nameif out1
  zone-member outside
  ip address <ISP-LINK1>

interface Gi0/1
  nameif out2
  zone-member outside
  ip address <ISP-LINK2>

nat (inside, out1) source dynamic any <PAT_RANGE>
nat (inside, out2) source dynamic any <PAT_RANGE>

Here is my test result:

ciscoasa(config)# show capture outbound

5 packets captured

 1: 15:09:37.807850      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 2: 15:09:37.809482      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 3: 15:09:37.810871      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 4: 15:09:37.812351      9.9.9.9 > 8.8.8.8 :   icmp: echo request
 5: 15:09:37.814121      9.9.9.9 > 8.8.8.8 :   icmp: echo request
5 packets shown
ciscoasa(config)# show capture inbound

 1: 15:09:37.808429      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 2: 15:09:37.810031      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 3: 15:09:37.811405      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 4: 15:09:37.812992      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
 5: 15:09:37.814777      8.8.8.8 > 9.9.9.9 :   icmp: echo reply
5 packets shown

ciscoasa(config)#  show conn all
<...>
ICMP outside:out1(out1) 8.8.8.8:9 inside  172.16.0.2:24, idle 0:00:00, bytes 8928, flags
<...>

TCP will work as well, not need to bypass tcp.

Ref: https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-zones.html

Here is how was I simulate asymmetric routing:

router bgp 65003
  address-family ipv4 unicast
    neighbor 192.168.0.1 remote-as 65001
    neighbor 192.168.0.1 activate
    neighbor 192.168.0.1 weight 200
    neighbor 192.168.0.1 route-map AS-self out
    neighbor 192.168.0.5 remote-as 65002
    neighbor 192.168.0.5 activate
    neighbor 192.168.0.5 route-map AS-self out
    network 9.9.9.0 mask 255.255.255.0
  exit
!

mmoulson1 · ‎05-20-2020

Many thanks for taking the time to reply.

Unfortunately when I try to add one of the outside interfaces to the zone I get the error: "Interface with crypto features enabled can't be part of zone"

I am currently using AnyConnect VPN to the outside. I've not had opportunity to search up on the above error to see if there is a work around but I will do. Or maybe disable the AnyConnect temporally to test.

mmoulson1 · ‎05-22-2020

To confirm I disabled AnyConnect to apply the zone configuration and everything worked as expected.

As I want to be able to use AnyConnect and potentially create some S2S VPN's in the future I decided to change my topology and move my ISP connections out to another device. The ASA now has a single outside interface and I think it makes more sense to configure things in this way.

Whoops · ‎04-04-2022

Thanks. It helps in bgp with 2 ISPs.