Hi JP Miranda,

Please find the attached output.We use different subnet as 195.x.x.x series as well as 62.150.x.x series.Traffic can reach internet when i use 195.x.x.x series ip for natting.But when i use 62.150.x.x ,i cant reach internet.Currently i have ASA 5510 series in production,which works fine.But when i replace with new ASA 5515-x Firepower ver 9.2,its not working .

Please let me know any other info required.

Hi jafrulla1986,

I believe this is a nat issue and also a routing issue, you can use the following nat:

object network Outside1nat

subnet 0.0.0.0 0.0.0.0

nat (inside,outside1) dynamic interface

Make sure you remove this one first:

no nat (inside,Outside1) source static TEST TEST-VIP

Also for the routing considering this route you are only allowing traffic using Outside1 when going to 62.150.4.x, so if you are expecting the Outside1 to work for internet traffic you need to create a default route to the Outside1 next hop:

route Outside1 0.0.0.0 0.0.0.0 62.150.4.x

Also in order to test the backup interface you need to change the metric of the Outside route to a higher metric so the Outside1 is going to take precedence.

Normally in this type of scenario what you need is an IPSLA to monitor the link on Outside so when this one is down the Outside1 is going to take over:

IPSLA config:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

Dear JP Miranda,

Thanks for response.I will explain scenario of my setup.We running some services in 62.150.x.x and 195.39.x.x series.Please find the attached one for our exiting firewall config.

When i use same config in new firewall,its work fine when i use nat ip in 195.39.series.But if use 62.150.x.x series for nat ip,i am not able to reach internet.

So i changed my scenario to use to two different interface for outside,one for 195.39.x.x series and another one for Outside1 for 65.150.x.x.

My scenario is what ever the nat ip,(either 195.39.x.x or 62.150.x.x)i use,i should reach internet.

Note: we use old subnet 62.150.x.x as it got fulled,we bought another subnet 195.39.x.x series.

Condition is that i should reach inside to outside vice versa as well as DMZ to outside vice versa when i use any set of above mentioned ips.

In my scenario,we use both static as dynamic nat as well as.

Please help me to fix issue.Please let me know any other info required.

Hi JP Miranda,

Note:Both subnets  are from same ISP.We dont hv any backup ISP.

Hi jafrulla1986,

I was checking your old and new config and they are kind of different, when you are saying both interfaces are pointing to the same ISP i guess that is fine but you can't have all your traffic going through 2 different interfaces that is the reason why i pointed this out as a backup interface. So if you check your old config you can see only one default route on the outside interface:

route Outside 0.0.0.0 0.0.0.0 195.39.x.x 1

Now this default route represents a route that is going to be used as long as you don't have any other route more specific so is going to work for internet traffic without any problem, when you created a new interface with a different IP not part of the subnet 195.39.x.x this one is not going to be reachable until you create a route pointing to the default gateway on the 62.150.4.2.

The whole point here is that you can have both interfaces working as long as you are specific about the destination of the traffic but if you are expecting this 2 interfaces to give you internet traffic at the same time that is not going to be possible, that is the reason why i pointed out a backup interface with IPSLA so you can have the 195.19.x.x working as primary and as soon as this one goes down the 62.150.x.x is going to take over all the traffic.

Keep in mind i am understanding that you are expecting to route internet traffic through 2 different interfaces at the same time using a default route pointing to 0.0.0.0 0.0.0.0 to the next hop.

Hope this info helps!!

Rate if helps you!! 

-JP-