08-20-2013 06:51 AM - edited 03-11-2019 07:28 PM
Hello all. I have recently started working with our ASA 5510 and have learned a lot in the past few weeks. I most recently have updated our IOS from 7.0 to 8.22 and started setting up some QoS.
Our setup has two WAN's, (6.6.6.6 and 2.2.2.2). 2.2.2.2 is our newer ISP used for almost everything, 6.6.6.6 is the legacy ISP used for incoming connections (VPN, Testing Servers, etc).
All I want to do is manually switch over a subnet to use the legacy ISP in case of an emergency, it doesn't need to be automated. I thought that just changing the pointer on the "nat" statement from "30" to "10" on say the "wguest" network would push the wguest traffic out of the "outside" interface, but in reality I cannot get this to work. After spending all day on this yesterday I am seeking some help. Here is the pertinent information from the config. Can anyone explain the procedure to change the "wguest" network to use the "outside" interface for WAN? Thank you!
interface Ethernet0/0
nameif outside
security-level 0
ip address 6.6.6.6 255.255.255.0
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.2
vlan 10
nameif wguest
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 11
nameif woffice
security-level 100
ip address 10.11.1.1 255.255.255.0
!
interface Ethernet0/2
nameif NewISP
security-level 100
ip address 2.2.2.2 255.255.255.0
global (outside) 10 interface
global (NewISP) 30 interface
nat (inside) 30 0.0.0.0 0.0.0.0
nat (wguest) 30 10.10.1.0 255.255.255.0
nat (woffice) 30 10.11.1.0 255.255.255.0
!
Solved! Go to Solution.
08-20-2013 08:19 AM
Hi,
For outbound connections there are to my understanding a couple of options to handle choosing the ISP interface of the ASA.
The officially supported way is to use the Dual ISP where the Main ISP is active as long as the tracked active route is working. If not, it will fail to the other ISP. This essentially means that you can't have 2 default gateways active at the same time for the hosts on your LAN.
The unofficial way to to utilize 2 ISP links on ASA for outbound connections would be to use a newer software and use the NAT to manipulate the ASAs routing decision to mimic a PBR like operation (Policy Based Routing)
- Jouni
08-20-2013 08:08 AM
08-20-2013 08:19 AM
Hi,
For outbound connections there are to my understanding a couple of options to handle choosing the ISP interface of the ASA.
The officially supported way is to use the Dual ISP where the Main ISP is active as long as the tracked active route is working. If not, it will fail to the other ISP. This essentially means that you can't have 2 default gateways active at the same time for the hosts on your LAN.
The unofficial way to to utilize 2 ISP links on ASA for outbound connections would be to use a newer software and use the NAT to manipulate the ASAs routing decision to mimic a PBR like operation (Policy Based Routing)
- Jouni
08-20-2013 12:51 PM
Jouni thank you for the reply. For your "unofficial" solution do you mean a newer software than 8.22? I think I will attempt the SLA tracked failover method tonight first and if that doesn't work I will try static routes for each subnet. I will be sure to let you know the result, thanks again.
08-21-2013 02:29 AM
Hi,
Yes, using the NAT to manipulate a PBR type traffic forwarding would require a software level 8.3+ (preferably 8.4 and above)
Compared to 8.2 the NAT configuration format has completely changed. So you would need to learn the new NAT format.
If the firewall NAT configurations are simple the jump to the new software isnt that big of a deal. In some cases the move to the new software might actually enable you to considerably minimize the NAT configuration at the same time.
- Jouni
08-21-2013 06:44 AM
Jouni, thank you for your assistance. I set up the SLA track last night and it works perfectly, excellent solution!
08-22-2013 01:35 AM
Hey Joe
Don't give the high securty level to ur new ISP interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide