05-20-2020 04:02 AM
Hi all,
Currently using an ASA pair for internet connectivity. I have 2 point to point circuits into 2 different ISP's. I have each configured on separate interfaces on the ASA. Which creates my first problem that I have multiple outside interfaces. So creating NAT rules etc I can only associate with a single interface.
The second problem is I am advertising a block of public address space to the ISP's, when I try to NAT out using one of the addresses I can see the return traffic is hitting the other interface for the other ISP and getting blocked "Inbound TCP connection denied from". I found some information on TCP state bypass but other conflicting information saying this would not fix this problem. I tried but it didn't for me.
I am wondering if there is any way to fix this on the ASA or if really I need something to sit in front of the ASA to terminate the point to point connections and do the BGP advertising to both ISP's. I can then configure a single outside interface on the ASA with my public address block. Therefore traffic would always ingress/egress the ASA via the same interface regardless of which ISP received it.
Thanks in advance.
Solved! Go to Solution.
05-20-2020 08:15 AM - edited 05-20-2020 09:28 AM
Hi,
You may try this, and kindly let us know the result.
zone outside interface Gi0/0 nameif out1 zone-member outside ip address <ISP-LINK1> interface Gi0/1 nameif out2 zone-member outside ip address <ISP-LINK2> nat (inside, out1) source dynamic any <PAT_RANGE> nat (inside, out2) source dynamic any <PAT_RANGE>
Here is my test result:
ciscoasa(config)# show capture outbound 5 packets captured 1: 15:09:37.807850 9.9.9.9 > 8.8.8.8 : icmp: echo request 2: 15:09:37.809482 9.9.9.9 > 8.8.8.8 : icmp: echo request 3: 15:09:37.810871 9.9.9.9 > 8.8.8.8 : icmp: echo request 4: 15:09:37.812351 9.9.9.9 > 8.8.8.8 : icmp: echo request 5: 15:09:37.814121 9.9.9.9 > 8.8.8.8 : icmp: echo request 5 packets shown ciscoasa(config)# show capture inbound 1: 15:09:37.808429 8.8.8.8 > 9.9.9.9 : icmp: echo reply 2: 15:09:37.810031 8.8.8.8 > 9.9.9.9 : icmp: echo reply 3: 15:09:37.811405 8.8.8.8 > 9.9.9.9 : icmp: echo reply 4: 15:09:37.812992 8.8.8.8 > 9.9.9.9 : icmp: echo reply 5: 15:09:37.814777 8.8.8.8 > 9.9.9.9 : icmp: echo reply 5 packets shown ciscoasa(config)# show conn all <...> ICMP outside:out1(out1) 8.8.8.8:9 inside 172.16.0.2:24, idle 0:00:00, bytes 8928, flags <...>
TCP will work as well, not need to bypass tcp.
Here is how was I simulate asymmetric routing:
router bgp 65003 address-family ipv4 unicast neighbor 192.168.0.1 remote-as 65001 neighbor 192.168.0.1 activate neighbor 192.168.0.1 weight 200 neighbor 192.168.0.1 route-map AS-self out neighbor 192.168.0.5 remote-as 65002 neighbor 192.168.0.5 activate neighbor 192.168.0.5 route-map AS-self out network 9.9.9.0 mask 255.255.255.0 exit !
05-20-2020 08:15 AM - edited 05-20-2020 09:28 AM
Hi,
You may try this, and kindly let us know the result.
zone outside interface Gi0/0 nameif out1 zone-member outside ip address <ISP-LINK1> interface Gi0/1 nameif out2 zone-member outside ip address <ISP-LINK2> nat (inside, out1) source dynamic any <PAT_RANGE> nat (inside, out2) source dynamic any <PAT_RANGE>
Here is my test result:
ciscoasa(config)# show capture outbound 5 packets captured 1: 15:09:37.807850 9.9.9.9 > 8.8.8.8 : icmp: echo request 2: 15:09:37.809482 9.9.9.9 > 8.8.8.8 : icmp: echo request 3: 15:09:37.810871 9.9.9.9 > 8.8.8.8 : icmp: echo request 4: 15:09:37.812351 9.9.9.9 > 8.8.8.8 : icmp: echo request 5: 15:09:37.814121 9.9.9.9 > 8.8.8.8 : icmp: echo request 5 packets shown ciscoasa(config)# show capture inbound 1: 15:09:37.808429 8.8.8.8 > 9.9.9.9 : icmp: echo reply 2: 15:09:37.810031 8.8.8.8 > 9.9.9.9 : icmp: echo reply 3: 15:09:37.811405 8.8.8.8 > 9.9.9.9 : icmp: echo reply 4: 15:09:37.812992 8.8.8.8 > 9.9.9.9 : icmp: echo reply 5: 15:09:37.814777 8.8.8.8 > 9.9.9.9 : icmp: echo reply 5 packets shown ciscoasa(config)# show conn all <...> ICMP outside:out1(out1) 8.8.8.8:9 inside 172.16.0.2:24, idle 0:00:00, bytes 8928, flags <...>
TCP will work as well, not need to bypass tcp.
Here is how was I simulate asymmetric routing:
router bgp 65003 address-family ipv4 unicast neighbor 192.168.0.1 remote-as 65001 neighbor 192.168.0.1 activate neighbor 192.168.0.1 weight 200 neighbor 192.168.0.1 route-map AS-self out neighbor 192.168.0.5 remote-as 65002 neighbor 192.168.0.5 activate neighbor 192.168.0.5 route-map AS-self out network 9.9.9.0 mask 255.255.255.0 exit !
05-20-2020 10:56 AM
Many thanks for taking the time to reply.
Unfortunately when I try to add one of the outside interfaces to the zone I get the error: "Interface with crypto features enabled can't be part of zone"
I am currently using AnyConnect VPN to the outside. I've not had opportunity to search up on the above error to see if there is a work around but I will do. Or maybe disable the AnyConnect temporally to test.
05-22-2020 03:10 AM
To confirm I disabled AnyConnect to apply the zone configuration and everything worked as expected.
As I want to be able to use AnyConnect and potentially create some S2S VPN's in the future I decided to change my topology and move my ISP connections out to another device. The ASA now has a single outside interface and I think it makes more sense to configure things in this way.
04-04-2022 08:35 AM
Thanks. It helps in bgp with 2 ISPs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide