Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
3
Replies

ASA with two public addresses issue

pusledzki1
Level 1
Level 1

‎03-05-2016 10:50 PM - edited ‎03-12-2019 12:26 AM

Firstly apologies, as this may be a very simple fix, but after banging my head against a wall for two days I just can't seem to work it out!!

We have an asa 5512-x we want to terminate two separate Amazon instances on. We have two ISP static IP address ranges. The WAN(outside) configured on interface g0/0 and the second public facing IP on interface g0/3 (vpn2). I know you can only have one default route on an ASA, so when route 0.0.0.0 is configured for WAN, that range is reachable via the internet but not the new range on g0/3, and likewise if you change the default route to int g0/3 that range is reachable from the internet and not the other. We simply need both IP addresses configured on g0/1 and g0/3 available from the public internet reachable at the same time to terminate amazon VPN's on, relevant config below and any help greatly appreciated.

ASA Version 9.5(2)
!
hostname FW1-INTERNET-LON

!
interface GigabitEthernet0/0
description Inside_To_SW-DISTRIBUTION-01_Gi1/0/2
nameif LAN
security-level 100
ip address 172.16.1.1 255.255.252.0 standby 172.16.1.2
!
interface GigabitEthernet0/1
description Outside_To_SW-DISTRIBUTION-01_Gi1/0/1
nameif WAN
security-level 0
ip address 212.84.1.201 255.255.255.248 standby 212.84.183.202

!
interface GigabitEthernet0/3
description Outside_To_SW-Distribution-2_g2/0/7
nameif vpn2
security-level 0
ip address 212.84.1.162 255.255.255.240 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OBJ-LAN-SUBNET
subnet 172.16.1.0 255.255.252.0
object network OBJ-POOL-A
range 212.84.1.195 212.84.183.196
object network obj-SrcNet
subnet 0.0.0.0 0.0.0.0
object network FW2_HA
subnet 172.16.1.2 255.255.255.255
object network FW2_Inside_HA
host 172.16.1.2
description FW2_Inside_HA
object network FW2_Outside_HA
host 212.84.1.202
description FW2_Outside_HA
object network vpn2
subnet 212.84.1.160 255.255.255.240
description VPN2 Subnet
object network OBJ-POOL-B
range 212.84.1.164 212.84.1.165
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network grp-voip
network-object object gamma
network-object object tinet
object-group service DM_INLINE_SERVICE_5
service-object tcp-udp destination eq sip
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ldap
service-object udp destination eq domain
service-object udp destination eq ntp
object-group service imp tcp
port-object eq 5222
object-group service rtp udp
port-object range 10000 60000
object-group service sip1 tcp
port-object eq 8011
object-group service sip2 tcp
port-object eq 5080
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service DHCP udp
port-object eq bootps
object-group service DHCPrange udp
description DHCP ports
port-object range bootps bootpc
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_8
service-object tcp-udp
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_3 object OBJ-LAN-SUBNET any4
access-list LAN_access_in extended permit object-group TCPUDP object OBJ-LAN-SUBNET any eq domain
access-list LAN_access_in extended permit ip object OBJ-LAN-SUBNET any
access-list LAN_access_in extended permit udp any any object-group DHCP


access-list SPLIT-TUNNEL standard permit 172.16.128.0 255.255.252.0


access-list global_access extended deny ip any any


access-list WAN_access_out extended permit object-group DM_INLINE_SERVICE_4 object OBJ-LAN-SUBNET any4
access-list WAN_access_out extended permit object-group DM_INLINE_SERVICE_5 object OBJ-LAN-SUBNET object-group grp-voip


access-list WAN_access_out extended permit udp object OBJ-LAN-SUBNET object-group grp-voip object-group rtp
access-list WAN_access_out extended permit ip object OBJ-LAN-SUBNET object obj-amzn
access-list WAN_access_out extended permit object-group TCPUDP object OBJ-LAN-SUBNET any eq domain


access-list WAN_access_out extended permit tcp object OBJ-LAN-SUBNET any4 object-group DM_INLINE_TCP_1
access-list WAN_access_out extended permit tcp any any object-group DM_INLINE_TCP_2
access-list WAN_access_out extended permit ip any any


access-list WAN_access_in extended permit ip host 52.17.201.49 host 212.84.1.201
access-list WAN_access_in extended permit ip host 52.18.197.187 host 212.84.1.201


access-list vpn2_access_in extended permit object-group DM_INLINE_SERVICE_6 172.16.1.0 255.255.252.0 212.84.189.160 255.255.255.240
access-list vpn2_access_in extended permit object-group DM_INLINE_SERVICE_7 interface vpn2 any
access-list vpn2_access_in extended permit object-group DM_INLINE_SERVICE_8 interface WAN 212.84.1.160 255.255.255.240

mtu LAN 1500
mtu WAN 1500
mtu vpn2 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface FOL GigabitEthernet0/5
failover key *****
failover link STATE GigabitEthernet0/4
failover interface ip FOL 192.168.255.1 255.255.255.252 standby 192.168.255.2
failover interface ip STATE 192.168.255.5 255.255.255.252 standby 192.168.255.6
no monitor-interface management

arp timeout 14400
arp permit-nonconnected

nat (LAN,WAN) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
nat (LAN,vpn2) source static any any route-lookup
!
object network OBJ-LAN-SUBNET
nat (LAN,WAN) dynamic pat-pool OBJ-POOL-A interface flat include-reserve

access-group LAN_access_in in interface LAN per-user-override
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group vpn2_access_in in interface vpn2
access-group global_access global


route WAN 0.0.0.0 0.0.0.0 212.84.183.206 1


policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface WAN
prompt hostname context

Labels:
0 Helpful
3 Replies 3

Akshay Rastogi
Cisco Employee
Cisco Employee

‎03-06-2016 01:51 AM

Hi,

From the post i could see that you are running version 9.5.2 on ASA. Therefore you could use Policy Based Routing on ASA. This would help you to utilize both the ISPs.

You could now configure Route-map mentioned the source address from Inside and match the required next-hop for the traffic without worrying about default gateways. 

By default, ASA select the same path from where it is coming (if it is coming from outside and exempting route-lookup for return traffic) if traffic initiated from Outside.

Please find the link below to understand and configure PBR :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-policy-based.html#ID-2182-00000004

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

pusledzki1
Level 1
Level 1
In response to Akshay Rastogi

‎03-06-2016 08:39 AM

Thank you so much for your response. The reason we upgraded to 9.5 was to use PBR for exactly this purpose. However as I am new to ASA configuration, after following some examples, the second subnet is still not available from the public internet. Only one or the other (whichever has the default route configured towards its gateway. If you have the time is there any way you could assist me further with the access lists and general PBR configuration?


Thanks again

0 Helpful

rodrigog
Level 1
Level 1

‎03-06-2016 09:52 AM

Hello 

Unfortunately the scenario you are looking for is not possible

Currently the ASA only supports 1 default route for management traffic 

You may be able to route traffic through multiple ISP using PBR for pass-through traffic but PBR is not supported for management traffic on the ASA and the termination of VPN tunnels to the box counts as management traffic.

Also ICMP to the box also counts as management traffic 

Regards,

Rodrigo Gutierrez 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card