Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
497
Views
0
Helpful
5
Replies

How to config ASA 5520 with 2 ISP for 2 different network object group

thedao
Level 1
Level 1

ā€Ž10-21-2024 04:33 AM

Hi all,

I have two network object groups as follows:

  • inside_group_A with hosts ranging from 172.16.10.10 to 172.16.10.15 (configured with Static NAT for services such as Mail and Web).

  • inside_group_B with hosts ranging from 172.16.10.20 to 172.16.10.30 (I want to configure some hosts in this group for public-facing Web and Mail services).

I have two WAN connections on two outside interfaces, named outside_A and outside_B. All hosts are currently configured with Static NAT via the outside_A interface, and they can successfully access the Internet through outside_A.

I attempted to configure Static NAT for hosts in inside_group_B (e.g., 172.16.10.20 with Public IP: 118.221.193.89) to go through the outside_B interface, but it was not successful. My goal is to open certain ports, such as Web or Mail, for this host, but I haven't been able to get it working.

Can anyone help me configure this on an ASA 5520? Thanks a lot!

0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

ā€Ž10-21-2024 06:48 AM

@thedao 

 When you configured the NAT for inside_group_B, how did you do with the routing? As inside_group_A and inside_group_B is basically the same IP range, they are contiguous, you may face challange on the route part.

 If you already have NAT configured for inside_group_A going through the outside_A, depending on how the configuration was done, you are probably overlaping config.

Which ASA version is it and can you share the show running-config?

0 Helpful

thedao
Level 1
Level 1
In response to Flavio Miranda

ā€Ž10-24-2024 09:16 PM

Hi @Flavio Miranda 

inside group A & B use different network IP ranges for Static NAT.
example:

inside_group_A:   IP from 172.16.10.10 to 172.16.10.15 --> config Static NAT go through outside_A interface (201.93.x.x/28)
inside_group_B:   IP from 172.16.10.20 to 172.16.10.30 --> config Static NAT go through outside_B interface (118.221.x.x/28)
Now, the outside_A interface with the current default route is 0.0.0.0/any is working fine.
I just config new ISP for the interface outside_B
I will give you after show running-config later. Thanks for your help!

 

 

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž10-31-2024 12:21 AM

https://integratingit.wordpress.com/2020/03/01/asa-policy-based-routing/

this I think what you looking for 

MHM

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

ā€Ž10-31-2024 12:27 AM

Hi,

    Since you got it working on outside_A, I assume you have replicated the config (NAT, routing, and ACL configuration done right); I'm inclined to believe you have a routing problem: you need both default routes (on outside_A and outside_B) to be active at the same time and to make this work (allow ASA to perform ECMP) you need to configure both outside interface to be member of same zone.

Best,

Cristian.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card