06-20-2011 09:21 AM - edited 03-11-2019 01:47 PM
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn expert tips on how to configure and troubleshoot Network Address Translation (NAT) and Failover on Cisco ASA Firewalls with Cisco Expert Amitashwa Agarwal. Amitashwa is a senior customer support engineer and technical lead at the Cisco Technical Assistance Center in Bangalore, India. He works with the Security Firewall team, where his areas of expertise include configuring and troubleshooting issues related to firewall, VPN, and AAA technology. He holds a bachelor's degree in computer science from the University of Pune, India, and holds CCSP and CCIE certifications in Security (#22164).
Remember to use the rating system to let Amitashwa know if you have received an adequate response.
Amitashwa might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
06-20-2011 09:58 AM
Amitashwa,
We have two ASA's 5540. We are setting up Load Balancing (Active/Active). Load Balancing works great with Cisco VPN client. However, is it possible to setup Load Balancing for Site-to-Site VPN?
Thank you.
Diane
06-20-2011 08:30 PM
Hi Diane,
Based on the description that you have provided it is more of a question related to VPN load balancing rather than Active/Active failover on ASA. However, to answer your query VPN load-balancing/clustering is only supported for remote access WebVPN and IPSec on ASA. It is unfortunately not supported for Site-to-Site VPN on ASA.
Let me know in case of further questions or concerns.
Regards,
Amitashwa
06-20-2011 10:34 AM
Greeting,
We have two ISP connected to an ASA 5510 and we have configured one as the primary and the other one as a backup. I'd like to know if there is a way that, with the ASA, we can do load balancing across both ISPs.
Thanks in advanced,
Luis
06-20-2011 09:29 PM
Hi Luis,
Load-balancing using dual-ISPs is not possible on ASA platforms. However, you can still failover to another ISP in the event your primary ISP fails using the SLA monitoring feature on the ASA.
Here's a link which explains ISP fallback on ASA :
Also, please refer to the link given below to understand the other options that you have in case of dual ISP's on ASA:
https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have
Hope it helps. Let me know in case of any questions or concerns.
Regards,
Amitashwa
06-21-2011 01:58 AM
Hello Amitashwa,
I have the following two questions:
(1) I have an ASA firewall running code 7.2 (3), Active/Standby Setup. Now, with this FW I have multiple Zones but my concerns only on this question about Three Zones.
From inside to Outside, I have an IPsec Tunnel with a client , my internal Network is (172.19.25.0/24 - 172.20.168.0/22), the Client Network is (172.17.5.0/24 & 172.17.6.0/24). Now The Tunnel is Active and both Networks are reachable in both direction.
From the Inside to (ASD_VPN) , another Zone, I have normal PAT, Some of My Internal Networks are able to reach Network 10.254.0.0/16 using PAT, thats is also OK.
my problem is that, My client on the outside Zone network (172.17.5.0/24) needs to reach Network 10.254.0.0/16 which is located on the ASD_VPN Zone, I am not able to successfully made this reachability up. I have permited and added (10.254.0.0/16) in the Interesting Traffic and Nat (0), and have allowed and added the required permit statement in the outside Access-list , yet without positive results.
what I exactyly need is to permit Network 172.17.5.0/24 to be Natted after its decrybted by the IPsec, and vice vers for the returned path, I need to encrypt 10.254.0.0/16 when going back to the clinet Network 172.17.5.0/24.
Is this kind of Scenario Possible?
Please refer to my Simple Connectivity diagram and Partial config I have attached.
(2) I need to have SSL VPN client installed on this ASA, what I understood, is that my current ASA version doesnt support SSL VPN client, what is the exact code to implement this feature? what are the licensing categories for this feature? and please provide me with reference documnet to set it up (other Than using ASDM).
Appreciate your Answer,
Regards,
Mohamed
06-22-2011 02:12 AM
Hi Mohamed,
Please find the answers to your questions below:
1]
From the description that you have provided I understand that you want users on remote subnet 172.17.5.0/24 to be able to access subnet 10.254.0.0/16 across a L2L tunnel terminating on the outside interface of your ASA. Also, you want the remote subnet users to get PATTED to the ASD_VPN interface ip before they can access the 10.254.0.0/16 subnet.
You can achieve the objective stated above by doing the following configuration on the ASA:
access-list 101 permit ip 10.254.0.0 255.255.0.0 172.17.5.0 255.255.255.0
nat (ASD_VPN) 0 access-list 101
nat (outside) 2 172.17.5.0 255.255.255.0 outside
global (ASD_VPN) 2 interface
However, you need to make sure that the traffic destined for 172.16.5.0/24 subnet from 10.254.0.0/16 is part of the crypto ACL to the remote peer on the ASA and the reverse of it is configured at the remote end.
Also, this traffic flow will only work when traffic would be initiated from the remote subnet i.e 172.16.5.0/24 as it is getting PATTED on the ASA.If you would like this traffic flow to work bidirectionally then get rid of the "nat (outside)" statement from the configuration which will in turn not PAT the traffic coming in from 172.17.5.0/24 to the ASD_VPN interface ip before going to 10.254.0.0 subnet.
2] This question is outside the scope of this discussion however I will still answer your basic query on it. I would appreciate if you could raise further questions on it in the VPN forum on CSC.
ASA 7.2.3 does support SSL VPN client in full mode however it does not support AnyConnect VPN. AnyConnect is supported from 8.x. Please refer to the link given below to check the SSL VPN client configuration on ASA on 7.x:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/svc.html
By default, Cisco provides a two-user complimentary SSL VPN license on all supported ASA devices. However, you will have to purchase a license if you want more SSL users to be supported on the ASA.
Hope this helps.
Regards,
Amitashwa
06-22-2011 04:31 AM
Amitashwa,
1) I have actually tried what you have suggested before, but with no positive result.
I am not allowing for bidirectional communication through PAT, the Traffic should always be intiated from my ASA, however, using a packet tracer shows the packet flow but the packet is being dropped due to (IPsec Spoof detected).
Still my question remains, My IPsec Tunnel is Over the Internet , so the client 172.17.5.0 traffic is encrypted when it reaches my Internal Network, while I am Patting my Internal & Outside Network 172.17.5.0/24 to the client 10.254.0.0/16.
As I said, The packet tracer shows no deny for any rule, but the traffic still being dropped and the reason is (IPsec spoof detected).
Do you have any suggestion for this result?
2) for the Second question, Thanks for your input.
Regards,
Mohamed
06-23-2011 05:53 AM
Hi Mohamed,
I understand that you have the following setup with a L2L tunnel between the ASA and the remote peer:
inside outside
---------ASA -------------------Internet ---------------------------Remote Peer ----------------172.17.5.0/24
| ASD_VPN
|
10.254.0.0/16
And here is what you want to achieve:
"what I exactyly need is to permit Network 172.17.5.0/24 to be Natted after its decrybted by the IPsec, and vice versa for the returned path, I need to encrypt 10.254.0.0/16 when going back to the clinet Network 172.17.5.0/24."
I would appreciate if you could provide me the following information to help you further :
1] When you say that you want to permit Network 172.17.5.0/24 to be Natted after its decrybted by the IPsec, what exactly do you mean? Do you mean to say that you want the decrypted traffic (from 172.17.5.0/24 subnet to 10.254.0.0/16) to get PATTED to the ASD_VPN interface before it actually gets to the 10.254.0.0/16 subnet?
2] When you say "....and vice versa for the returned path, I need to encrypt 10.254.0.0/16 when going back to the clinet Network 172.17.5.0/24" I understand that you only want this traffic to go through the tunnel to the remote side. Correct me if I have misunderstood anything here.
3] Output of the packet tracer command from the ASA.
4] Output of "show cry isa sa" and "show crypto ipsec sa peer
Thanks,
Amitashwa
06-24-2011 12:15 PM
Hi Amitashwa,
I am attacing here the output of what you have requested including the packet tracer output from both OUTSIDE and ASD_VPN interfaces.
with regard to your questions,
1) Your understanding is correct.
2) your understanding is correct.
Just one Note, The traffic flow should always be inititated from the client 172.17.5.0/24 to Network 10.254.0.0/16. Howev er, its still not getting positive results.
Regards,
Mohamed
06-24-2011 10:50 PM
Hi Mohamed,
Packet tracer is not the right way to test this traffic flow as the packet getting generated using it would be clear text from outside to ASD_VPN and this might result in IPSEC SPOOF detected message. Therefore I would like you to actually do a ping from 172.17.5.0/24 to 10.254.0.0/16 to test the connectivity. Also, if my understanding of the problem is correct then the commands that I suggested earlier are the only one's that we need to achieve the desired result.
Please let me know if you have the following command configured on the ASA:
nat (outside) 2 172.17.5.0 255.255.255.0 outside -- outside keyword at the end is important here
Regards,
Amitashwa
06-25-2011 12:55 AM
Amitashwa,
As soon as I type the command you are proposing: nat (outside) 2 172.17.5.0 255.255.255.0 outside, I lose connection to the peer.
I mean the Ipsec tunnel is still Active, however, No traffic (Pings for example) for any of the interesting traffic to Network 172.17.5.0/24 works AT ALL. So the traffic gets dropped.
When I remove it, all traffic get back to normal.
Any Clue,
Regards,
Mohamed
06-25-2011 02:19 AM
Mohamed,
Do you see any syslog related to translation failed after applying the proposed NAT command? Try using this NAT command instead and let me know how it goes:
access-list 101 permit ip 172.17.5.0 255.255.255.0 10.254.0.0 255.255.0.0
nat (outside) 2 access-li 101 outside
Regards,
Amit
06-25-2011 07:26 AM
Amit,
With the ACL associated with NAT, it worked like a charm!!! I just have one question for you:
1- While using nat (outside) 2 172.17.5.0 255.255.255.0 , I did it before without adding the "outside" keyword in the end and thought it should bring up the connection while it didnt. So the question, what is the (outside) keyword actually does here in the end of this nat statement.
For the ACL NAT, I relized because doing it with the Network command would nat all traffic sourced from Network 172.17.5.0/24 coming from outside regardless of its destination which in the end result in the IPsec spoof and the firewall dropps the packet.
Thanks for your time to answer my question,
BTW, I have given you full rate as deserved.
Regards,
Mohamed
06-26-2011 12:09 PM
Mohamed,
It is good to know that everything has started working for you now.
"nat" command upto 8.2 is only used to translate the source and is always applied on the higher security level interface of the firewall however when we want to translate the source of the traffic going from low to high security level that is when we need to apply the nat command with the "outside" keyword to the low security level interface along with a corresponding "global" command on the high security level interface. Since, in your case the requirement was to translate the source of the decrypted traffic going from low to high security level we needed this keyword along with the nat command.
Also, when we were not using the ACL with the "nat outside" command it was looking to translate any traffic sourced from 172.17.5.0 to anywhere on the inside and since we did not have a matching "global (inside) 2 " command applied on the inside interface, this traffic was getting dropped on the firewall.
Regards,
Amit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide