02-04-2020 11:05 PM
Hi, I would need some assistance on how to configure 2 outside interface. Each ISP (outside) interface have /28 IP Address and the other one is /30 IP Address. My intention is to put the servers behind the FW so each ISP is related to one of the inside (server) interface so it's not failover connection for the outside interface. PFA network diagram for better understanding. Each server needs to access bidirectional connections like the Internet, RDP and block some ports. There's 1 server does have a dedicated public IP /30 I need to connect to FW to set some limitation on the ports. I'm trying to simulate it using our spare ASA5512 but I'm having a hard time to make it work. I don't know if it's doable or not. Please advise. thanks
interface GigabitEthernet0/0
nameif outside <---- (ISP 1)
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside-2
security-level 100
ip address 10.0.0.1 255.255.240.0
!
interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0
object network Server-1
host 10.0.0.2
object network Server-2
host 172.168.1.15
access-list OUT_IN extended permit tcp any host 10.0.0.2 eq www
access-list OUT_IN extended permit tcp any host 10.0.0.2 eq 3389
access-list OUT_IN extended deny icmp any any echo
object network Server-1
nat (inside-2,outside) static x.x.x.x <---- Next available public IP for /28
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 (Facing to ISP 1 Interface) 1
02-05-2020 01:01 AM - edited 02-05-2020 01:02 AM
Yes that will work and the config looks fine for reaching the server-1 over outside. What is not working? What is the result of
packet-tracer input outside tcp 1.2.3.4 1234 PUBLIC-IP-OF-SERVER-1 80
If it does not work it could be the result of config you are not showing here, especially other NAT-statements before the shown statements.
02-05-2020 07:05 PM
Hi Karsten,
My only concern is how to set up the second ISP 2 (outside-2) for inside-3 to have an internet connection because ISP 2 is only /30 there's no available IP address to point the private IP to another public IP like what I did on the Server-1 setup and I need to be able to RDP/SSH so on from the outside network to inside. Do I need to create an object network/service for the Server-2 and how will you create the natting and Access-List for that
Any suggestion. thank you
02-06-2020 11:56 PM
Hi I tried the below commands. But it didn't work for the Server-2 to access from outside to inside via RDP but the internet is working fine.
interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0
object network Server-2
host 172.16.1.15
nat (inside,outside) dynamic interface
object service Server-3389
service tcp source eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq www
nat (inside,outside) source static Server-2 interface service Server-80 Server-80
access-group OUT_IN in interface outside-1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
packet-tracer input outside tcp 192.168.1.1 1234 172.16.1.15 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static TerareconServer interface service Server-3389 Server-3389
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-07-2020 12:31 AM
You have to use the public IP as the destination in packet-tracer.
02-05-2020 12:54 PM
On the NAT statement for interface outside-1 do you have the keyword "route-lookup" configured? if so remove it. Also, make sure that the NAT configuration is correct and that it actually does match the traffic for outside-1 interface. If if route-lookup is not present and traffic flow still does not work, it is possible you will need to use policy base routing to redirect traffic out outside-1 interface. For this you would need to upgrade to 9.7 or higher.
02-05-2020 07:04 PM
Hi Marius, I don't have route-lookup command in my config. Server-1 is working properly can route from inside to outside or vice versa
My only concern is how to set up the second ISP 2 (outside-2) for inside-3 to have an internet connection because ISP 2 is only /30 there's no available IP address to point the private IP to another public IP like what I did on the Server-1 setup and I need to be able to RDP/SSH so on from the outside network to inside. Do I need to create an object network/service for the Server-2 and how will you create the natting and Access-List for that
Any suggestion. thank you
02-06-2020 11:57 PM
Hi I tried the below commands. But it didn't work for the Server-2 to access from outside to inside via RDP but the internet is working fine.
interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0
object network Server-2
host 172.16.1.15
nat (inside,outside) dynamic interface
object service Server-3389
service tcp source eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq www
nat (inside,outside) source static Server-2 interface service Server-3389 Server-3389
access-group OUT_IN in interface outside-1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
packet-tracer input outside tcp 192.168.1.1 1234 172.16.1.15 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static TerareconServer interface service Server-3389 Server-3389
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-09-2020 12:54 PM
You will need to use a static NAT statement for server-2 pointing out the ISP-2, and it is possible you will need to use policy based routing (PBR) to route traffic out the ISP-2 interface in the case that the NAT statement doesn’t take care of that for you.
02-10-2020 06:35 AM
I think, You are able to configure ISP-1 with NAT, ACL and Route. You are facing issue in setting up server for the ISP-2.
For that you have to configure PBR and also configure NAT with selective services. Find the configuration below for your reference.
======
=======
This is not really fine structure configuration. But you will get the idea and if you still having issue. Do let me know.
H2H
### RATE ALL HELPFUL RESPONSES ###
02-11-2020 10:27 PM
Here is my config below after you suggest to put the PBR configuration. does it mean it's working now since I tested the packet-tracer the result is allowed? What I did was the Server-2 is my laptop for simulation and then connected to ASA (interface G0/1) for the inside.
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.97 255.255.255.0 <--- this IP is configured to our load balancer in our Office.
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
policy-route route-map PBR
object network Server-2
host 172.16.1.15
object network ISP-2-SRV-IP
host 192.168.1.97
access-list OUT_IN extended permit tcp any object Server-2 eq ssh
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq www
access-list PBR extended permit ip 172.16.1.0 255.255.255.0 any
nat (outside,inside) source dynamic any interface
nat (inside,outside) source dynamic any interface
!
object network Server-2
nat (inside,outside) static interface service tcp www www
access-group OUT_IN in interface outside
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 192.168.1.1
ASA2(config)# packet-tracer input outside tcp 192.168.1.25 13389 172.16.1.15 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.1.25/13389 to 172.16.1.1/13389
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source dynamic any interface
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 156588, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
02-11-2020 11:12 PM
I tried to change the NAT config because it's not pointing to my Server-2 IP address.
From
nat (outside,inside) source dynamic any interface
To
nat (outside,inside) source static any TerareconServer
ASA2(config)# packet-tracer input outside tcp x.x.x.x 13389 172.16.1.15 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static any Server-2
Additional Information:
Static translate x.x.x.x/13389 to 172.16.1.15/13389
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
Frame drop:
Invalid encapsulation (invalid-encap) 2961
No valid adjacency (no-adjacency) 191
No route to host (no-route) 19
Flow is denied by configured rule (acl-drop) 999615
First TCP packet not SYN (tcp-not-syn) 1460
TCP failed 3 way handshake (tcp-3whs-failed) 123
TCP RST/FIN out of order (tcp-rstfin-ooo) 5994
TCP SYNACK on established conn (tcp-synack-ooo) 21
TCP RST/SYN in window (tcp-rst-syn-in-win) 7
Slowpath security checks failed (sp-security-failed) 873988
Expired flow (flow-expired) 1
FP L2 rule drop (l2_acl) 173708
Interface is down (interface-down) 168
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 927
Last clearing: Never
Flow drop:
NAT reverse path failed (nat-rpf-failed) 228
Inspection failure (inspect-fail) 10
Last clearing: Never
02-12-2020 03:45 AM
02-13-2020 12:19 AM
Hi I'm still having an issue with the Server-2 to have internet / RDP for allowing from outside to inside or vise versa. Below is my current commands on ASA. Is there any command for NAT/ACL that can work on both Internet/RDP is working
Just disregard the PBR command, for now, I just wanna work on this kind of setup
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252 <---- /30 ISP
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
object network Server-2
host 172.16.1.15
nat (inside,outside) static interface service tcp www www
object network ISP-2-SRV-IP
host 192.168.1.97
object service TCP3389
service tcp source eq 3389
nat (inside,outside) source dynamic any interface <-- If this command is configured my Server-2 is able to browse but cannot RDP from outside to inside and the packet-tracer results will be drop
nat (outside,inside) source static any any destination static interface Server-2 service TCP3389 TCP3389
access-list OUT_IN extended permit tcp any object Server-2 eq www
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
packet-tracer input outside tcp x.x.x.x 12345 172.16.1.15 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-13-2020 01:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide