Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7892
Views
0
Helpful
21
Replies

Multiple WAN on same interface in ASA

Go to solution
Rawit2015
Level 1
Level 1

‎11-22-2016 10:17 PM - edited ‎03-12-2019 01:34 AM

Since I have never worked with ASA having a multiple WAN on same interface, how this can be achieved? My ISP has given me /29 IP address, and I assigned xxx.xxx.xxx.xxx/29 to one physical interface, set gw, route for gw, nat, access lists, etc. My question is, how can I use other WAN addresses from same scope and make forward each one of them for each internal subnet. For example: xxx.xxx.xxx.xxx/29 to 192.168.1.0/24, xxx.xxx.xxx.xxy/29 to 172.16.1.0/23, xxx.xxx.xxx.xxz/29 to 10.0.0.0/24...

Can someone provide an example?

Also how can this be achieved if each WAN is assigned with physical interface on ASA (if it is possible)?

Labels:
0 Helpful
21 Replies 21

Go to solution
Boris Uskov
Level 4
Level 4
In response to Rawit2015

‎12-01-2016 02:03 AM

Hello, if input and output interfaces are in "UP" states, you can use packet-tracer.

As I see from the config, WAN1 is connected to WAN_OLD interface (metric 1) and WAN2 is connected to outside interface (metric 2).

route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2

Since WAN1 (WAN_OLD) interface has metric 1 as default route it will always be used for outgoing traffic (traffic, initiated from inside of ASA). So, I assume, that you miss a NAT rule for Server-subnet. For example, 

object network Server-net
 subnet 192.168.96.0 255.255.255.0
 nat (ServerTV,WAN_OLD) dynamic interface

also, if you want to use ping for tesing, add icmp inspection:

policy-map global_policy
 class inspection_default
  inspect icmp

0 Helpful

Go to solution
Rawit2015
Level 1
Level 1
In response to Boris Uskov

‎12-01-2016 02:20 AM

Yes, you are absolutely correct. It occurred me just few minutes ago that might be the route thing. (for that reason I opened new discussion on Cisco on this link mentioning two static routes with metrics... https://supportforums.cisco.com/discussion/13175596/static-nat-internet-connectivity-issue-asa). You are correct, it will never reach outside as it doesn't have route for that interface. But will this somehow sc*** current static NAT that is set and working? 

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Rawit2015

‎12-01-2016 02:37 AM

Current static NAT will be ok despite routing. That is the ASA's speciality. ASA is flow-oriented gear (comparing to routers). If the session in initiated from outside (through the outside interface), ASA records both input and output interfaces. So, when return packect reach the ASA, it will look at the session records and get the output interface from there. So the return packets will be sent through outside interface (not WAN_OLD interface), despite the routing table.

0 Helpful

Go to solution
Rawit2015
Level 1
Level 1
In response to Boris Uskov

‎12-01-2016 07:23 AM

Hi Boris,

I must admit that I am bit confused here. If you initiate traffic from ServerTV through WAN_OLD it has translation of xxx.xxx.xxx.xxy and it is written in header of each packet. When it gets back, it is using same IP xxx.xxx.xxx.xxy as it is initiated from, correct? So how come it can forward reply to other WAN2 xxx.xxx.xxx.xxz?

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Rawit2015

‎12-01-2016 10:50 PM

Hello, you say everything correct :)

If you initiate traffic from ServerTV, the ASA will check for its connection table and will not find any establited connections, since the session is being just initialized. So the ASA will check routing table and find the output interface WAN_OLD (due to route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1). The source IP in packets will always be translated to xxx.xxx.xxx.xxy. The return packets will always have destination IP of xxx.xxx.xxx.xxy and will come back through WAN_OLD.

BUT

If you initiate traffic from somewhere in Internet to ServerTV to the public IP address xxx.xxx.xxx.xxZ, the packets will have dest. IP xxx.xxx.xxx.xxZ and will come to ASA through OUTSIDE interface (not WAN_OLD interface). So the packets will have their dest IP translated to ServetTV private IP addresses and will reach the ServerTV. The ASA will make a record in the connection table about this session. Then ServerTV will send answering packets to ASA. The ASA will check its connection table and see that the session is already established through the pair of interfaces OUTSIDE -> ServerTV. So the return packets will have to use the same pait of interfaces ServerTV -> OUTSIDE. So, the return packets will leave OUTSIDE interface of the ASA, despite the default route is configured through WAN_OLD interface with a better metric.

Hope this helps.

0 Helpful

Go to solution
HezalOthman31665
Level 1
Level 1
In response to Boris Uskov

‎07-15-2020 07:06 PM

hi, what if i have 2 wan to nat to same internal...? thanks

0 Helpful

Go to solution
HezalOthman31665
Level 1
Level 1
In response to Boris Uskov

‎07-15-2020 07:10 PM

Hi Boris,
if i have 2 wan and need to nat to the same dmz, is it possible?
for example:
Wan1 123.234.1.5
Wan2 211.111.88.5
dmz 192.168.9.10
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card