Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6060
Views
5
Helpful
8
Replies

Cisco ASA multiple outside Interface

Go to solution
upen desai
Level 1
Level 1

‎01-14-2019 04:00 AM - edited ‎02-21-2020 08:39 AM

Hi

I hope you can help. I currently have a task of migrating to new ISP.

 

We have a Cisco ASA 5508, (ASA 9.7), three interfaces - inside, DMZ and Outside.

 

I need to migrate from the current ISP1 to two new service providers BT and TalkTalk. But i will need to setup all of this in parallel.

 

My query is that is it possible to configure the remianing interfaces to Outside with security level 0 for BT and TalkTalk in parallel to the existing one.

 

When attempting to do so, i get the attached error message.

'Changing the security level of an interface may cause your ASA configuration to become invalid.'

 

Can you please advise.

 

Preview file
116 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to upen desai

‎01-15-2019 04:22 AM

You should be ok but you need to be careful on your nat rules if you need help

Give us the nat ip addresses
please do not forget to rate.

View solution in original post

8 Replies 8

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎01-14-2019 04:22 AM

you can change the security level to 0, because at the end of the day, the ACL will define what is allowed in. the default is that traffic will not flow from a low level to a higher level. its like a failsafe.

 

the question is now though, with two ISPs how are you intending to route traffic to both ISPs or are you going to use one for outbound and two for inbound?  are tyou using like BGP peering to both ISPs?

 

thx

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
upen desai
Level 1
Level 1
In response to Dennis Mink

‎01-15-2019 01:32 AM

Thank you Dennis for the response.

 

So I can setup all three interfaces with Security Level 0 ?

 

The plan is to cease the current ISP. Make the BT circuit the primary circuit and Talktalk as the secondary (manual failover).

On the ASA I have several internal objects which directly NAT to external IP addresses, and there are a few normal NAT addresses which will need updating.

I will recreate the individual object to directly NAT to the BT EXternal IP addresses.

 

Question: as shown in the screenshot, is it ok to setup the interface in advance and will it cause any outage.ASA.PNG

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to upen desai

‎01-15-2019 01:39 AM - edited ‎01-15-2019 01:41 AM

So I can setup all three interfaces with Security Level 0 ?

 

you said earlier you have inside, outside and DMZ. Inside is always 100, DMZ is between 1 to 99 and outside is 0

please do not forget to rate.
0 Helpful

Go to solution
upen desai
Level 1
Level 1
In response to Sheraz.Salim

‎01-15-2019 03:55 AM

hello
Sorry what i meant is that is it ok to setup all three ISP interfaces (current ISP, BT and TalkTalk) to Security Level 0.

There are additional interfaces on the ASA - Inside and DMZ.

I am trying to do some prep work for the ISP migration, I was going to assign external IP address for BT and TalkTalk to G1/5 and G1/6 as per screenshot.

ASA1.PNG

 

When assigning the new IP address for BT, I get the following message and I am not sure if this is an issue or will it cause other problmes on the firewall.

 

ASA2.PNG

 

Sorry but I have not done this exercise before so any pointer would be really helpful.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to upen desai

‎01-15-2019 04:22 AM

You should be ok but you need to be careful on your nat rules if you need help

Give us the nat ip addresses
please do not forget to rate.

Go to solution
upen desai
Level 1
Level 1
In response to Sheraz.Salim

‎01-31-2019 06:53 AM

Thank you - all done now.
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎01-14-2019 05:11 AM - edited ‎01-15-2019 09:49 AM

here is the template,

 

!

interface gig0/1

 description BT

 nameif outside

 security-level 0

 ip address 8.8.8.8 255.255.255.255

!

interface gig0/2

 description BACKUP

 nameif backup

 security-level 0

 ip address 9.9.9.9 255.255.255.255

!

object network INSIDE-PART1

 subnet 192.168.1.0 255.255.255.0

!

object network OUTSIDE-1

 host 8.8.8.8

!

object network INSIDE-PART2

 subnet 192.168.1.0 255.255.255.0

!

object network BACKUP-1

 host 9.9.9.9

!

nat (inside,outside) source dynamic interface OUTSIDE-1

!

nat (inside,backup) source dynamic interface BACKUP-1

!

route outside 0.0.0.0 0.0.0.0 next-hop

!

route backup 0.0.0.0 0.0.0.0 next-hop track 10
!
sla monitor 10
 type echo protocol ipIcmpEcho 1.1.1.2 interface outside
 num-packets 3
sla monitor schedule 10 life forever start-time now

 !

I added the SLA after @Marius Gunnerud give the suggestion.

please do not forget to rate.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-15-2019 09:37 AM

Each interface on the ASA requires a different interface name so you will not be able to name the two new interfaces as "outside".  You can however name them outside1 and outside2 and then create NAT and route statements for each.  If the second interface is to be a backup then you would need to create IP SLA trackers so the routes will automatically failover.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card