Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3509
Views
0
Helpful
2
Replies

ASA NAT with dual uplinks - PBR?

soundmouse
Level 1
Level 1

‎08-06-2013 01:52 AM - edited ‎03-11-2019 07:21 PM

We have a failover pair of ASA5520's running 8.4.4, and we need to renumber our external connection from one ISP to another ISP.

I would like to do this in a stepwise way, i.e.

  • connect second ISP to spare interface (which we have)
  • move one service from old VIP to new VIP, changing the DNS at the same time
  • repeat until done

I don't mind 5 minutes of outage for each service while the DNS updates, but I don't want a "big bang" change. So ideally I'd want to have something like PBR where traffic to/from an old VIP defaultroutes via the old ISP, and traffic to/from a new VIP defaultroutes via the new ISP.

At https://supportforums.cisco.com/docs/DOC-6069 JouniForss said: "In the new ASA softwares 8.3+ there is however a chance to manipulate the ASA egress interface of specified source addresses and therefore for example forward some LAN networks traffic through another ISP while forwarding another LANs traffic through another ISP."

Does this work, and can someone point me to some documentation on this feature?

Reading through

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html

it doesn't seem to mention this possibility. Indeed it warns:

In Versions 7.0(1) and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA that is made from the higher metric interface fails, but connections to the ASA from the lower metric interface succeed as expected.

And I don't want to round-robin outbound traffic if the metrics are the same. What I want is if the packet source is a wan1 address then only use the wan1 defaultroute, and similarly for wan2.

I did consider using contexts, but unfortunately we also use IPSEC VPN. I read that 9.x does support contexts with IPSEC, but this would mean:

  • upgrade to 9.x; cross fingers that the config carries forward correctly
  • turn on contexts; cross fingers that the config carries forward correctly
  • use second context to connect to second ISP
  • change default routes for each back-end host to point to the second context as they migrate

The first two steps are more risky than I'd like.

Apart from that, I'm considering moving over to a temporary firewall (e.g. pfsense) and then migrating back to the ASA.

Is there any other way I should be looking at doing this with the ASA?

Thanks,

Brian.

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎08-06-2013 02:13 PM

Hello,

So you can use two outside interfaces and then route traffic via the more specific or lowest administrative distance route so if you know the destination you can definetly use the secondary outside interface.

Also here is an Example I used long time ago to send all HTTP traffic via the secondary outside interface:

nat (inside,outside1) 1 source static any interface destination static Any any service destination_HTTP destination_HTTP

nat (outside1,inside) source static any any service tcp_HTTP tcp_HTTP


object service tcp_HTTP

service tcp source eq www


object service destination_HTTP

service tcp destination eq www


So you can see the different options you have

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎08-07-2013 04:58 AM

Hi,

I mentioned in that document also that this is NOT something that Cisco officially supports on the ASA so its a workaround at best to a situation where you want to simulate something like PBR.

Typically the ASA will only use one default route towards the default ISP and even if you have a second ISP you can't route traffic to it at the sametime without resorting to somekind of NAT configuration both in the old and the new NAT format.

I wouldn't suggest this for a production environment in a long run BUT in your case it might handle the migration part. Then again, that might mean that when the migration is over you might want to redo the NAT configurations so that they are normal. Depending on your current network they might come pretty messy.

I have only tested this on my home lab for people asking for somekind of workaround on the ASA since it doesnt support PBR officially.

Here is some configurations from one of my previous reply. It has both the configurations and "packet-tracer" tests to simulate the situation.

The reason why there is some strange "destination" parameters for the NAT configurations is that there was something different with the 8.4(x) and 9.x softwares that broke this behaviour without the "destination" parameters so we had to define all the possible destination networks in their own "object-group"

I am not sure but I think you might need some extra NAT configurations on a higher priority before inserting these to prevent the situation where even traffic between your LAN networks might get forwarded to the Secondary/New ISP egress interface. Essentially (Policy) Identity NAT between local interface using Manual NAT.

So I booted one of my test ASA5520 to software 9.1(1) and did some   testing with regards to using NAT configuration to determine the  eggress  interface of the traffic.
I   tried a few different setups and I managed to get one of them working.   While a couple of tested configurations always resulted in the ASA  doing  a route lookup the last one seemed to follow the NAT  configuration  definitions and not the route lookup/routing table
So my lab setup is the following
  • Single ASA5520 9.1(1)
  • 2 WAN links
  • 1 LAN link
What I tried
  • Forward traffic to different WAN link depending on the LAN host IP address
  • Host 10.0.0.30 out of WAN-1 for all destination networks
  • Host 10.0.0.200 out of WAN-2 for all destination networks
I   guess this configuration in particular doesnt help with the orignal   posters situation but it does seem to help in a situation where you  want  to control the DUAL WAN link usage depending on the source IP  address  of the LAN host.
Here are the example NAT/Interface/route configurations and "packet-tracer" output
interface GigabitEthernet0/0
 description Primary ISP
 nameif WAN-1
 security-level 0
 ip address 192.168.101.2 255.255.255.0
!
interface GigabitEthernet0/1
 description Secondary ISP
 nameif WAN-2
 security-level 0
 ip address 192.168.102.2 255.255.255.0
!
interface GigabitEthernet0/2
 description LAN
 nameif LAN
 security-level 100
 ip address 10.0.20.2 255.255.255.0
route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1
route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254
route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1
object network LAN-SOURCE-1
 host 10.0.0.30
object network LAN-SOURCE-2
 host 10.0.0.200
object network ANY-0.0.0.0-1
 subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
 subnet 128.0.0.0 128.0.0.0
object-group network ALL
 network-object object ANY-0.0.0.0-1
 network-object object ANY-128.0.0.0-1
nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL
nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL
ASA(config)# packet-tracer input LAN tcp 10.0.0.30 12345 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL
Additional Information:
NAT divert to egress interface WAN-1
Untranslate 1.1.1.1/80 to 1.1.1.1/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL
Additional Information:
Static translate 10.0.0.30/12345 to 10.0.0.30/12345
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN-1) source static LAN-SOURCE-1 LAN-SOURCE-1 destination static ALL ALL
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN-1
output-status: up
output-line-status: up
Action: allow
ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL
Additional Information:
NAT divert to egress interface WAN-2
Untranslate 1.1.1.1/80 to 1.1.1.1/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL
Additional Information:
Static translate 10.0.0.200/12345 to 10.0.0.200/12345
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN-2) source static LAN-SOURCE-2 LAN-SOURCE-2 destination static ALL ALL
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN-2
output-status: up
output-line-status: up
Action: allow
This also works with setting the NAT to Dynamic Policy PAT instead of the above Identity NAT / NAT Exempt
nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL
nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL
ASA(config)# packet-tracer input LAN tcp 10.0.0.30 12345 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL
Additional Information:
NAT divert to egress interface WAN-1
Untranslate 1.1.1.1/80 to 1.1.1.1/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL
Additional Information:
Dynamic translate 10.0.0.30/12345 to 192.168.101.2/12345
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN-1) source dynamic LAN-SOURCE-1 interface destination static ALL ALL
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN-1
output-status: up
output-line-status: up
Action: allow
ASA(config)# packet-tracer input LAN tcp 10.0.0.200 12345 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL
Additional Information:
NAT divert to egress interface WAN-2
Untranslate 1.1.1.1/80 to 1.1.1.1/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL
Additional Information:
Dynamic translate 10.0.0.200/12345 to 192.168.102.2/12345
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN-2) source dynamic LAN-SOURCE-2 interface destination static ALL ALL
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN-2
output-status: up
output-line-status: up
Action: allow

I have linked this around this many times on the forums. Here is one discussion where I posted this (it also contains a link to another discussion)

https://supportforums.cisco.com/thread/2209874

Hope it helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card