Re: Multiple outside interface on Cisco ASA5512 version 9.5(1)

johnbloods · ‎02-04-2020

Hi, I would need some assistance on how to configure 2 outside interface. Each ISP (outside) interface have /28 IP Address and the other one is /30 IP Address. My intention is to put the servers behind the FW so each ISP is related to one of the inside (server) interface so it's not failover connection for the outside interface. PFA network diagram for better understanding. Each server needs to access bidirectional connections like the Internet, RDP and block some ports. There's 1 server does have a dedicated public IP /30 I need to connect to FW to set some limitation on the ports. I'm trying to simulate it using our spare ASA5512 but I'm having a hard time to make it work. I don't know if it's doable or not. Please advise. thanks

interface GigabitEthernet0/0
nameif outside <---- (ISP 1)
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside-2
security-level 100
ip address 10.0.0.1 255.255.240.0
!
interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0

object network Server-1
host 10.0.0.2
object network Server-2
host 172.168.1.15
access-list OUT_IN extended permit tcp any host 10.0.0.2 eq www
access-list OUT_IN extended permit tcp any host 10.0.0.2 eq 3389
access-list OUT_IN extended deny icmp any any echo

object network Server-1
nat (inside-2,outside) static x.x.x.x <---- Next available public IP for /28
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 (Facing to ISP 1 Interface) 1

Karsten Iwen · ‎02-05-2020

Yes that will work and the config looks fine for reaching the server-1 over outside. What is not working? What is the result of

packet-tracer input outside tcp 1.2.3.4 1234 PUBLIC-IP-OF-SERVER-1 80

If it does not work it could be the result of config you are not showing here, especially other NAT-statements before the shown statements.

johnbloods · ‎02-05-2020

Hi Karsten,

My only concern is how to set up the second ISP 2 (outside-2) for inside-3 to have an internet connection because ISP 2 is only /30 there's no available IP address to point the private IP to another public IP like what I did on the Server-1 setup and I need to be able to RDP/SSH so on from the outside network to inside. Do I need to create an object network/service for the Server-2 and how will you create the natting and Access-List for that

Any suggestion. thank you

johnbloods · ‎02-06-2020

Hi I tried the below commands. But it didn't work for the Server-2 to access from outside to inside via RDP but the internet is working fine.

interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0

object network Server-2
host 172.16.1.15

nat (inside,outside) dynamic interface

object service Server-3389
service tcp source eq 3389

access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq www

nat (inside,outside) source static Server-2 interface service Server-80 Server-80

access-group OUT_IN in interface outside-1

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

packet-tracer input outside tcp 192.168.1.1 1234 172.16.1.15 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static TerareconServer interface service Server-3389 Server-3389
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Karsten Iwen · ‎02-07-2020

You have to use the public IP as the destination in packet-tracer.

Marius Gunnerud · ‎02-05-2020

On the NAT statement for interface outside-1 do you have the keyword "route-lookup" configured? if so remove it. Also, make sure that the NAT configuration is correct and that it actually does match the traffic for outside-1 interface. If if route-lookup is not present and traffic flow still does not work, it is possible you will need to use policy base routing to redirect traffic out outside-1 interface. For this you would need to upgrade to 9.7 or higher.

--
Please remember to select a correct answer and rate helpful posts

johnbloods · ‎02-05-2020

Hi Marius, I don't have route-lookup command in my config. Server-1 is working properly can route from inside to outside or vice versa

My only concern is how to set up the second ISP 2 (outside-2) for inside-3 to have an internet connection because ISP 2 is only /30 there's no available IP address to point the private IP to another public IP like what I did on the Server-1 setup and I need to be able to RDP/SSH so on from the outside network to inside. Do I need to create an object network/service for the Server-2 and how will you create the natting and Access-List for that

Any suggestion. thank you

johnbloods · ‎02-06-2020

Hi I tried the below commands. But it didn't work for the Server-2 to access from outside to inside via RDP but the internet is working fine.

interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0

object network Server-2
host 172.16.1.15

nat (inside,outside) dynamic interface

object service Server-3389
service tcp source eq 3389

access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq www

nat (inside,outside) source static Server-2 interface service Server-3389 Server-3389

access-group OUT_IN in interface outside-1

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

packet-tracer input outside tcp 192.168.1.1 1234 172.16.1.15 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static TerareconServer interface service Server-3389 Server-3389
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Marius Gunnerud · ‎02-09-2020

You will need to use a static NAT statement for server-2 pointing out the ISP-2, and it is possible you will need to use policy based routing (PBR) to route traffic out the ISP-2 interface in the case that the NAT statement doesn’t take care of that for you.

--
Please remember to select a correct answer and rate helpful posts

bhargavdesai · ‎02-10-2020

I think, You are able to configure ISP-1 with NAT, ACL and Route. You are facing issue in setting up server for the ISP-2.

For that you have to configure PBR and also configure NAT with selective services. Find the configuration below for your reference.

======

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside-2

security-level 100

ip address 10.0.0.1 255.255.240.0

!

interface GigabitEthernet0/2

nameif outside-3

security-level 0

ip address 2.2.2.2 255.255.255.252

!

interface GigabitEthernet0/3

nameif inside-3

security-level 100

ip address 172.16.1.1 255.255.255.0

policy-route route-map PBR ===== Policy based routing configure for traffic going out ======

!

object network SRV-1

host 10.0.0.2

object network SRV-2

host 172.16.1.15

object network ISP-1-SRV-IP

host 1.1.1.3

object network ISP-2-SRV-IP

host 2.2.2.2

!

#### I have loosely configure ACL, you can separate the two #####

access-list OUT_IN extended permit tcp any object SRV-1 eq www

access-list OUT_IN extended permit tcp any object SRV-1 eq 3389

access-list OUT_IN extended permit tcp any object SRV-2 eq www

access-list OUT_IN extended permit tcp any object SRV-2 eq 3389

!

#### ACL for Policy based routing traffic matching, I am matching subnet ###

access-list PBR extended permit ip 172.16.1.0 255.255.255.0 any

!

nat (inside-2,outside) source static SRV-1 ISP-1-SRV-IP (For Port Forwarding server -1 )

nat (inside-2,outside) source dynamic any interface ( For internet or Inside to Outside for server -1)

nat (inside-3,outside-3) source dynamic any interface ( For internet or Inside to Outside for server -2)

!

object network SRV-2

nat (inside-3,outside-3) static interface service tcp www www (For port forwarding server -2)

access-group OUT_IN in interface outside

access-group OUT_IN in interface outside-3

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 2.2.2.1

!

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route outside-3 0.0.0.0 0.0.0.0 2.2.2.1 10

=======

This is not really fine structure configuration. But you will get the idea and if you still having issue. Do let me know.

H2H

### RATE ALL HELPFUL RESPONSES ###

johnbloods · ‎02-11-2020

Here is my config below after you suggest to put the PBR configuration. does it mean it's working now since I tested the packet-tracer the result is allowed? What I did was the Server-2 is my laptop for simulation and then connected to ASA (interface G0/1) for the inside.

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.97 255.255.255.0 <--- this IP is configured to our load balancer in our Office.
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
policy-route route-map PBR

object network Server-2
host 172.16.1.15
object network ISP-2-SRV-IP
host 192.168.1.97

access-list OUT_IN extended permit tcp any object Server-2 eq ssh

access-list OUT_IN extended permit tcp any object Server-2 eq 3389
access-list OUT_IN extended permit tcp any object Server-2 eq www
access-list PBR extended permit ip 172.16.1.0 255.255.255.0 any

nat (outside,inside) source dynamic any interface
nat (inside,outside) source dynamic any interface
!
object network Server-2
nat (inside,outside) static interface service tcp www www
access-group OUT_IN in interface outside
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 192.168.1.1

ASA2(config)# packet-tracer input outside tcp 192.168.1.25 13389 172.16.1.15 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.1.25/13389 to 172.16.1.1/13389

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source dynamic any interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 156588, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

johnbloods · ‎02-11-2020

I tried to change the NAT config because it's not pointing to my Server-2 IP address.

From

nat (outside,inside) source dynamic any interface

To

nat (outside,inside) source static any TerareconServer

ASA2(config)# packet-tracer input outside tcp x.x.x.x 13389 172.16.1.15 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static any Server-2
Additional Information:
Static translate x.x.x.x/13389 to 172.16.1.15/13389

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Frame drop:
Invalid encapsulation (invalid-encap) 2961
No valid adjacency (no-adjacency) 191
No route to host (no-route) 19
Flow is denied by configured rule (acl-drop) 999615
First TCP packet not SYN (tcp-not-syn) 1460
TCP failed 3 way handshake (tcp-3whs-failed) 123
TCP RST/FIN out of order (tcp-rstfin-ooo) 5994
TCP SYNACK on established conn (tcp-synack-ooo) 21
TCP RST/SYN in window (tcp-rst-syn-in-win) 7
Slowpath security checks failed (sp-security-failed) 873988
Expired flow (flow-expired) 1
FP L2 rule drop (l2_acl) 173708
Interface is down (interface-down) 168
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 927

Last clearing: Never

Flow drop:
NAT reverse path failed (nat-rpf-failed) 228
Inspection failure (inspect-fail) 10

Last clearing: Never

bhargavdesai · ‎02-12-2020

You have not configured NAT rules properly. Can you just check the rules from my example.
There are Four NAT rules.

1: To allow internet from 10.0.0.0/20 subnet including Server 10.0.0.2 from OUTSIDE (ISP-1)
nat (inside-2,outside) source dynamic any interface
2: To host WWW and RDP service on Server 10.0.0.2 from OUTSIDE IP address (ISP-1)
nat (inside-2,outside) source static SRV-1 ISP-1-SRV-IP
3: To allow Internet from 172.16.1.0/24 subnet including Server 172.16.1.15 from OUTSIDE-3 (ISP-2)
nat (inside-3,outside-3) source dynamic any interface
4: To host WWW service on Server 172.16.1.15 from OUTSIDE-3 Interface IP address (ISP-2)
object network SRV-2
nat (inside-3,outside-3) static interface service tcp www www (If you need more services you can
create service object and service group)

Your configuration does not reflect the same. You can run the sh nat details command for more detail. Your PBR seems to be fine and I hope you have not missed on the floating default route to secondary ISP.

If you still having problem do let me know, I am always ready to help you.

H2H
### RATE ALL HELPFUL RESPONSES ###

johnbloods · ‎02-13-2020

Hi I'm still having an issue with the Server-2 to have internet / RDP for allowing from outside to inside or vise versa. Below is my current commands on ASA. Is there any command for NAT/ACL that can work on both Internet/RDP is working

Just disregard the PBR command, for now, I just wanna work on this kind of setup

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252 <---- /30 ISP
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0

object network Server-2
host 172.16.1.15
nat (inside,outside) static interface service tcp www www

object network ISP-2-SRV-IP
host 192.168.1.97

object service TCP3389
service tcp source eq 3389

nat (inside,outside) source dynamic any interface <-- If this command is configured my Server-2 is able to browse but cannot RDP from outside to inside and the packet-tracer results will be drop
nat (outside,inside) source static any any destination static interface Server-2 service TCP3389 TCP3389

access-list OUT_IN extended permit tcp any object Server-2 eq www
access-list OUT_IN extended permit tcp any object Server-2 eq 3389

access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

packet-tracer input outside tcp x.x.x.x 12345 172.16.1.15 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.15 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any object Server-2 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

bhargavdesai · ‎02-13-2020

Do you ASA Gig 0/0 (OUTSIDE) interface has public IP address? As per your information "192.168.1.97" is not a public IP address. Can you provide Network Diagram to understand it better.
Whenever you user packet tracer use the public IP address not the NATed IP.
For example:
My ASAs outside interface ip is 1.1.1.1 and want to see if 3389 is allowed from outside on this i would use.

packet-tracer input outside tcp 2.2.2.2 12345 1.1.1.1 3389

"nat (inside,outside) source dynamic any interface <-- If this command is configured my Server-2 is able to browse but cannot RDP from outside to inside and the packet-tracer results will be drop"

This is normal configuration to allow internet access.

If you are available online I can help you remotely.

H2H
### RATE ALL HELPFUL RESPONSES ###