04-02-2013 08:14 AM - edited 03-11-2019 06:22 PM
Good Morning,
Please note the following:
- Trying eliminate my FW as the issue for inbound connectivity issues on FIOS line
Here is the scenario:
- Ethif_0 = (Primary ISP)
- Ethif_3 = (Secondary ISP)
- All intitial inbound static NAT statements (public to pvt IP) are setup on Eth_0 (see below example):
Primary ISP ACL and NAT statement --> on Ethif_0
a) access-list outside_acl extended permit tcp any host 72.x.x.10_ext eq www (primary ISP IP's)
b) static (inside,outside) tcp 72.x.x.10_ext www int_hostname www netmask 255.255.255.255
Secondary ISP ACL and NAT statement --> on Ethif_3
a) access-list FIOS_access_in extended permit tcp any host 72.x.x.100_ext eq 80 (Secondary ISP IP's)
b) static (inside,outside) 72.x.x.100_ext int_hostname netmask 255.255.255.255
Question:
1. Does the secondary statement looks right?
2. Why if I am trying to connect to Secondary ISP IP, it does not register at the FW ( /28 IP subnetted)
3. Also and lastly VZ FioS line only seems to allow the first usable IP to be accessible or pinged (which is the ASA), but every IP after that seem to stop at a device somewhere in Chicago and I am in NY (see traceroute below):
1 | 26 | 0 | 0 | 8.9.232.73 | xe-5-3-0.edge3.dallas1.level3.net |
2 | 0 | 0 | 0 | 4.69.145.76 | ae-2-70.edge2.dallas3.level3.net |
3 | 0 | 0 | 0 | 4.68.62.34 | mci-level3-ae.dallas3.level3.net |
4 | 25 | 22 | 22 | 130.81.17.62 | xe-2-0-3-0.chi01-bb-rtr1.verizon-gni.net |
5 | Timed out | Timed out | Timed out | - |
6 | Timed out | Timed out | Timed out | - |
7 | Timed out | Timed out | Timed out | - |
8 | Timed out | Timed out | Timed out |
Do you guys think that my issue is with Verizon (I pray its not) or do you think that its a configuration issue on my end. I am familiar with ASA but more familiar with Fortigate FW's.
Also, the goal and or the excercise is to move all inbound translations from Primary ISP IP's to Secondary ISP IP's.
Please let me know what you think as I have been losing sleep on this matter.
Thank you
04-02-2013 08:18 AM
Hi,
One question. You list example Static NAT configurations for both ISPs but in both the same "outside" interface is used? Is this just a copy/paste or typo?
- Jouni
04-02-2013 08:21 AM
Jouni,
No that is not a question. Which is a good observation that I may not have looked at. What should the outside be? FIOS?
04-02-2013 08:27 AM
Hi,
I presume that the "outside" interface is the Primary ISP so if you have a separate physical interface for the Secondary ISP then that interfaces Static NAT configurations should have something else than "outside".
- Jouni
04-02-2013 08:27 AM
Jouni and Everyone else,
I just checked my the (Secondary ISP statement) and it is as followed:
static (inside,FIOS) tcp 72.x.x.100 https int_hostname https netmask 255.255.255.255
Sorry about the typo.
04-02-2013 08:42 AM
So you say that on the Secondary ISP interface you can only see connections coming to the interface IP address of the ASA but no other Static NAT or Static PAT works on that interface?
Have you tried changing the Secondary ISP interface to some other IP address from the same subnet and seen if it still works?
Have you by any chance configured "sysopt noproxyarp FIOS"?
If you have this could mean that the ASA wouldnt answer to the Secondary ISPs ARP request for any of other public IPs used in the Static NAT / Static PAT statements. The "FIOS" interface would still be working since its configured to an actual physical ASA interface. Or that is my understanding atleast.
I am kinda wondering the routing setup also. Mainly because you cant have 2 default routes active at the same time. But if the connections are iniatiated from the Internet through the different ISP, its my understanding that in this case the ASA should be able to forward the return traffic from your server through the correct ISP from where the initial connection came from. Again this is a situation which I dont run into in my job as we dont handle Dual ISP setups directly on an ASA.
- Jouni
04-02-2013 08:56 AM
So you say that on the Secondary ISP interface you can only see connections coming to the interface IP address of the ASA but no other Static NAT or Static PAT works on that interface?
Ans) Yes. No other Static mapping shows up in the logs
Have you tried changing the Secondary ISP interface to some other IP address from the same subnet and seen if it still works?
Ans) I have not, but all this would do is configure the Eth with IP does not really address why other IP are not being translated internally. Will try it though.
Have you by any chance configured "sysopt noproxyarp FIOS"?
Ans) I will look up this command, but how relative is this command. Never had to use it
If you have this could mean that the ASA wouldnt answer to the Secondary ISPs ARP request for any of other public IPs used in the Static NAT / Static PAT statements. The "FIOS" interface would still be working since its configured to an actual physical ASA interface. Or that is my understanding atleast.
Ans) Good point. Will check
I am kinda wondering the routing setup also. Mainly because you cant have 2 default routes active at the same time. But if the connections are iniatiated from the Internet through the different ISP, its my understanding that in this case the ASA should be able to forward the return traffic from your server through the correct ISP from where the initial connection came from. Again this is a situation which I dont run into in my job as we dont handle Dual ISP setups directly on an ASA.
Ans) The routing is very simple. 2 static routes with different AD's Primary out = Secondary = AD-1. Secondary out = AD-250. Inbound rules and destinations to internal resources are enabled for both ISP's and DNS records primarily point to Primary ISP's.
Basic setup but not very basic results.
Thank you
04-02-2013 09:06 AM
With configuring the Secondary ISP interface "FIOS" with another IP from the same public subnet I was thinking the possiblity of confirming that the ISP has everything configured on their part. Checking if the other public IPs from the same public subnet work at all.
But if you have configured Static NAT / Static PAT configurations on the Secondary ISP "FIOS" and have tried to connect to those IP address from the Internet and seen no increase in the "hitcount" of the ACL rules then it would seem that might might be something wrong with the routing on the ISP side.
If you have not configured the "sysopt noproxyarp FIOS" then everything should be ok regarding that. If on the other hand you see this in your configuration then it might be causing problems I mentioned above.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide