07-05-2022 07:54 AM
I have a problem that I don't know what else to do. Can you help me?
In my environment I have 2 ISP links, the main one and redundancy.
I changed the operator of the redundancy link.
I connected the router to the ASA, deletes the old routes from this interface, changed the name, IP and mask. Then I created the static route again with the new gateway.
Through ASDM > Tools > Ping, on this ISP's interface I can ping the router, but I don't have an output for 8.8.8.8.
I put a notebook directly on the router and the ping is ok, but apparently the ASA is not coming out.
The NAT rules I didn't change because there was no change. But the thing is, not even the ASA itself is going out through this ISP
Solved! Go to Solution.
07-06-2022 11:17 AM
Confirmed. The ASA does not communicate over another internet interface when the main one has a lower metric. That's why the ping test through the backup interface didn't work.
Thanks for the support.
07-05-2022 07:59 AM - edited 07-05-2022 08:00 AM
if you changed interface names, IP addresses too, better check NAT configurations again.
also share some screen captures of routing and NAT to get an idea.
07-05-2022 08:53 AM
07-05-2022 09:03 AM
your captures seems ok. but i noticed 2 points.
1. your route priority is 100. check if you have any other default routes with less priority than 100. if so you need to make sure primary ISP have lower priority than backup ISP.
2. there is a more NAT statements in background. check if your packet hits top NATs before hit correct one.
also use packet tracer option to simulate traffic and see whether traffic is blocking by ALC or any other step.
07-05-2022 08:02 AM
friend
after you check the ACL and NAT "in NAT please add route-lockup" if not success then
you need floating timeout command to add, please see below link.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html
07-05-2022 09:05 AM
How would I check the ACL?
My case was with the backup link, so the route metric was the highest.
From what I understand in that link you shared, it would be for the lowest metric routes.. isn't that it?
07-05-2022 09:36 AM
as mention above since the config of route is OK still you need NAT
please select "object network" NAT rule
and then config dynamic NAT
07-05-2022 12:01 PM
I redid the NAT rule the way you instructed but nothing changed.
The ASA shouldn't be able to PING it out even without the NAT rule (if it was a NAT problem)
using packet capture for the interface I can see some requests. I contacted the ISP operator and they manage to ping the IP I put. So it looks like the configuration from outside to ASA is ok.
It seems to me that something was tied up but I can't identify what it is.
07-05-2022 10:33 AM
Can you share cli config?
07-05-2022 12:02 PM
what would be the best way to do this?
07-05-2022 01:09 PM
you need talent to ASA to access and cli
also
this link helpful for you
07-05-2022 02:33 PM
I noticed from my monitoring that PRTG flags as the link up.
Apparently the ASA is not going out through the backup link as the main one is active, even though I force the ping through the backup interface.
I'll check a good time to take the main link down to confirm if the backup will take over by the ASA.
07-05-2022 03:09 PM
Yes but for TEST only change the metric of primary route to be higher than the backup route.
07-06-2022 11:17 AM
Confirmed. The ASA does not communicate over another internet interface when the main one has a lower metric. That's why the ping test through the backup interface didn't work.
Thanks for the support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide