cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1524
Views
1
Helpful
7
Replies

ASA Dual WAN Configuration Primary WAN Static Secondary WAN DHCP

keithcclark71
Level 3
Level 3

I am sure this has been asked but I am not sure why my config is not working. I beleive it should be. The setup is as follows (Public IP last 3 Octets  Masked)

ASA ISP1 Static GB Port 4 69.*.*.*  Interface name Outside-New
ASA ISP2 GB Port 5  DHCP 192.168.0.152 hard Wired to Verizon 5G Puck WIFI  LAN Port 192.168.0.1 (WIFI Only ) Interface name VZWIFI

Source Ping VZWIFI to 8.8.8.8 success

SLA and NAT config shown in attachments. The UW-LAN (192.168.13.0) subnet is what needs to switch to ASA ISP2 when ISP1 goes down but this is not working when I unplug ISP1. 

I know this would be a double NAT but there is really no need for port forwarding etc off this secondary connection the 192.168.13.0 subnet just needs basic internet browsing. I was thinking of trying to set the Verizon Puck gateway to be that of the ASA 192.168.0.152 DHCP assigned interface but if that changed id have to change the puck gateway again etc Any ideas what I am doing wrong here??>

1 Accepted Solution

Accepted Solutions

Long config to review - there are other issues in the config - lets focus on the NAT working and failover 

Remove below lines

no nat (UW-LAN,VZWIFI) source dynamic UW-LAN-SUBNET interface

no object network UW-LAN-SUBNET   (this have host entry not subnet)

Add new one as below and test it

object network UW-LAN-SUBNET

subnet 192.168.13.0 255.255.255.0

object network UW-LAN-SUBNET

nat (UW-LAN,VZWIFI) dynamic  interface

 

Note : on config i did not see UW-LAN Interface 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

as per the information that should work as expected as per the screenshot, if you looking more help check some troubleshooting as mentioned below guide :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

post show run from  ASA here (removing sensitive data)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2023.10.14 12:12:59 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved

:
:
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2417 MHz, 1 CPU (8 cores)
:
ASA Version 9.15(1)1
!
hostname UW-ASA
domain-name *****
enable password ***** encrypted
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
names
no mac-address auto
ip local pool VPN_DHCP 192.168.237.100-192.168.237.150 mask 255.255.255.0


!
interface GigabitEthernet1/5
nameif VZWIFI
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/6
mac-address 0024.14d3.7b3e
nameif Outside-NEW
security-level 0
ip address 69.*.*.* 255.255.255.248
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa9-15-1-1-lfbff-k8.SPA
boot system disk0:/asa9-14-2-4-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup UW-LAN
dns domain-lookup Public-WiFi
dns domain-lookup Outside-NEW
dns server-group DefaultDNS
name-server 192.168.13.48
domain-name ******
same-security-traffic permit inter-interface
object network Public-WiFi-subnet
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_192.168.237.0_24
subnet 192.168.237.0 255.255.255.0
object network NETWORK_OBJ_192.168.13.0_24
subnet 192.168.13.0 255.255.255.0
object network UW-LAN-subnet
subnet 192.168.13.0 255.255.255.0
object network DUO-Server
host 172.17.13.23
description DUO MFA Server
object network DMZ-Network
subnet 172.17.13.0 255.255.255.0
object network AD1
host 192.168.13.48
object network Guest-WIFI
subnet 10.10.10.0 255.255.255.0
description Guest-WIFI
object network Tenant-20
subnet 192.168.20.0 255.255.255.0
description Tenant-20
object network Finance1-MFC
host 192.168.13.40
description Printer
object network Finance2
host 192.168.13.41
object networkABC-ICC
subnet 192.168.30.0 255.255.255.0
description Tenant-30
object service DNS
service udp destination eq domain
object network Check_Printer
host 192.168.13.33
object network Basement
host 192.168.13.31
description Basementy Printer
object network CircularStairsBottom
host 192.168.13.44
object network Executive
host 192.168.13.218
description Executive Printyer
object network TexacoGlass
host 192.168.13.88
object network VZWIFISubnet
subnet 192.168.0.0 255.255.255.0
description VZ WIFI PUCK LAN IP SUBNET
object network VZWIFIGATEWAY
host 192.168.0.1
description VZWIFI PUCK GATEWAY SECONDARY WAN
object network VZWIFIBackup
subnet 192.168.0.0 255.255.255.0
description VZ Wifi Puck backup WAN
object network UW-LAN-SUBNET
host 192.168.13.0
object-group network DomainControllers
network-object object AD1
object-group network DM_INLINE_NETWORK_2
network-object object Finance1-MFC
network-object object Finance2
network-object object Check_Printer
object-group network UW-PRINTERS
network-object object Basement
network-object object CircularStairsBottom
network-object object Executive
network-object object Finance1-MFC
network-object object Finance2
network-object object TexacoGlass
access-list split standard permit 192.168.13.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list Outside-NEW_access_in extended permit tcp any object DUO-Server eq https inactive
access-list DMZ_access_in extended permit ip object DUO-Server object-group DomainControllers inactive
access-list DMZ_access_in extended deny ip any object NETWORK_OBJ_192.168.13.0_24
access-list DMZ_access_in extended permit ip any any
access-list HVAC extended permit ip 192.168.237.0 255.255.255.0 host 192.168.13.71 log debugging
access-list HVAC extended deny ip any any log debugging
access-list hvac extended permit ip host 192.168.13.71 any4 log
access-list Tenant-20_access_in extended permit ip any object-group UW-PRINTERS
access-list Tenant-20_access_in extended deny ip any 192.168.13.0 255.255.255.0
access-list Tenant-20_access_in extended permit ip any any
access-list UW-LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object Finance1-MFC
access-list UW-LAN_access_in extended permit ip object VZWIFISubnet any
access-list UW-LAN_access_in extended permit ip any any
access-listABC-_access_in extended permit ip any object-group DM_INLINE_NETWORK_2
access-listABC-_access_in extended deny ip any 192.168.13.0 255.255.255.0
access-listABC-_access_in extended permit ip any any
access-list VZWIFI_access_in extended permit ip object UW-LAN-SUBNET any
access-list VZWIFI_access_in extended permit ip any any
no pager

mtu Outside 1500
mtu UW-LAN 1500
mtu ABC-EDF 1500
mtuABC-ICC 1500
mtu DMZ 1500
mtu Public-WiFi 1500
mtu Guest-WIFI 1500
mtu VZWIFI 1500
mtu Outside-NEW 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface ABC-EDF
no monitor-interfaceABC-ICC
no monitor-interface DMZ
no monitor-interface Guest-WIFI
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384

nat (UW-LAN,Outside-NEW) source static any any destination static NETWORK_OBJ_192.168.237.0_24 NETWORK_OBJ_192.168.237.0_24 no-proxy-arp route-lookup
nat (UW-LAN,Outside-NEW) source static NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24 destination static NETWORK_OBJ_192.168.237.0_24 NETWORK_OBJ_192.168.237.0_24 no-proxy-arp route-lookup
nat (UW-LAN,VZWIFI) source dynamic UW-LAN-SUBNET interface
!
object network Public-WiFi-subnet
nat (Public-WiFi,Outside-NEW) dynamic interface
object network UW-LAN-subnet
nat (UW-LAN,Outside-NEW) dynamic interface
object network DMZ-Network
nat (DMZ,Outside-NEW) dynamic interface
object network Guest-WIFI
nat (Guest-WIFI,Outside-NEW) dynamic interface
object network Tenant-20
nat (ABC-EDF,Outside-NEW) dynamic interface
object networkABC-ICC
nat (ABC-ICC,Outside-NEW) dynamic interface

access-group UW-LAN_access_in in interface UW-LAN
access-group Tenant-20_access_in in interface ABC-EDF
access-groupABC-ICC_access_in in interfaceABC-ICC
access-group DMZ_access_in in interface DMZ
access-group VZWIFI_access_in in interface VZWIFI
access-group Outside-NEW_access_in in interface Outside-NEW
route Outside-NEW 0.0.0.0 0.0.0.0 69.193.59.201 1 track 1
route VZWIFI 0.0.0.0 0.0.0.0 192.168.0.1 253
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10


user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa local authentication attempts max-fail 5
aaa authentication login-history
http server enable 8443
http server idle-timeout 30
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside-NEW
frequency 5
sla monitor schedule 1 life forever start-time now
service sw-reset-button

track 1 rtr 1 reachability

no ssh stricthostkeycheck
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh 192.168.1.0 255.255.255.0 management
console timeout 5
management-access management
dhcp-client client-id interface VZWIFI


!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect snmp
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

UW-ASA#

 

I am wondering here could this be due to my NAT rules being different? I am not understanding per the attachments why rule 6 is different than rule 9??? One says "Nat Rule" and other one says "Network Object" . Do I need to do network object NAT rather than Rule for the secondary WAN or something?

Long config to review - there are other issues in the config - lets focus on the NAT working and failover 

Remove below lines

no nat (UW-LAN,VZWIFI) source dynamic UW-LAN-SUBNET interface

no object network UW-LAN-SUBNET   (this have host entry not subnet)

Add new one as below and test it

object network UW-LAN-SUBNET

subnet 192.168.13.0 255.255.255.0

object network UW-LAN-SUBNET

nat (UW-LAN,VZWIFI) dynamic  interface

 

Note : on config i did not see UW-LAN Interface 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks is there anyway to simulate\Test the failover without actually unplugging the main primary WAN?  

Thanks man I just got back to this and works great. 

I send you message check it 

Review Cisco Networking for a $25 gift card