Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
7
Replies

Question: Inbound Rules on Secondary EthIF

mingram27
Level 1
Level 1

‎04-02-2013 08:14 AM - edited ‎03-11-2019 06:22 PM

Good Morning,

Please note the following:

- Trying eliminate my FW as the issue for inbound connectivity issues on FIOS line

Here is the scenario:

- Ethif_0 = (Primary ISP)

- Ethif_3 = (Secondary ISP)

- All intitial inbound static NAT statements (public to pvt IP) are setup on Eth_0 (see below example):

   Primary ISP ACL and NAT statement --> on Ethif_0

   a) access-list outside_acl extended permit tcp any host 72.x.x.10_ext eq www (primary ISP IP's)

   b) static (inside,outside) tcp 72.x.x.10_ext www int_hostname www netmask 255.255.255.255

   Secondary ISP ACL and NAT statement  --> on Ethif_3

   a) access-list FIOS_access_in extended permit tcp any host 72.x.x.100_ext eq 80 (Secondary ISP IP's)

   b) static (inside,outside) 72.x.x.100_ext int_hostname netmask 255.255.255.255

Question:

1. Does the secondary statement looks right?

2. Why if I am trying to connect to Secondary ISP IP, it does not register at the FW ( /28 IP subnetted)

3. Also and lastly VZ FioS line only seems to allow the first usable IP to be accessible or pinged (which is the ASA), but every IP after that seem to stop at a device somewhere in Chicago and I am in NY (see traceroute below):

1   26   0   0      8.9.232.73  xe-5-3-0.edge3.dallas1.level3.net 
2   0   0   0      4.69.145.76  ae-2-70.edge2.dallas3.level3.net 
3   0   0   0      4.68.62.34  mci-level3-ae.dallas3.level3.net 
4   25   22   22      130.81.17.62  xe-2-0-3-0.chi01-bb-rtr1.verizon-gni.net 
5   Timed out   Timed out   Timed out         -  
6   Timed out   Timed out   Timed out         -  
7   Timed out   Timed out   Timed out         -  
8   Timed out   Timed out   Timed out

Do you guys think that my issue is with Verizon (I pray its not) or do you think that its a configuration issue on my end. I am familiar with ASA but more familiar with Fortigate FW's.

Also, the goal and or the excercise is to move all inbound translations from Primary ISP IP's to Secondary ISP IP's.

Please let me know what you think as I have been losing sleep on this matter.

Thank you

Labels:
0 Helpful
7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

‎04-02-2013 08:18 AM

Hi,

One question. You list example Static NAT configurations for both ISPs but in both the same "outside" interface is used? Is this just a copy/paste or typo?

- Jouni

0 Helpful

mingram27
Level 1
Level 1

‎04-02-2013 08:21 AM

Jouni,

No that is not a question. Which is a good observation that I may not have looked at. What should the outside be? FIOS?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to mingram27

‎04-02-2013 08:27 AM

Hi,

I presume that the "outside" interface is the Primary ISP so if you have a separate physical interface for the Secondary ISP then that interfaces Static NAT configurations should have something else than "outside".

- Jouni

0 Helpful

mingram27
Level 1
Level 1
In response to mingram27

‎04-02-2013 08:27 AM

Jouni and Everyone else,

I just checked my the (Secondary ISP statement) and it is as followed:

static (inside,FIOS) tcp 72.x.x.100 https int_hostname https netmask 255.255.255.255

Sorry about the typo.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to mingram27

‎04-02-2013 08:42 AM

So you say that on the Secondary ISP interface you can only see connections coming to the interface IP address of the ASA but no other Static NAT or Static PAT works on that interface?

Have you tried changing the Secondary ISP interface to some other IP address from the same subnet and seen if it still works?

Have you by any chance configured "sysopt noproxyarp FIOS"?

If you have this could mean that the ASA wouldnt answer to the Secondary ISPs ARP request for any of other public IPs used in the Static NAT / Static PAT statements. The "FIOS" interface would still be working since its configured to an actual physical ASA interface. Or that is my understanding atleast.

I am kinda wondering the routing setup also. Mainly because you cant have 2 default routes active at the same time. But if the connections are iniatiated from the Internet through the different ISP, its my understanding that in this case the ASA should be able to forward the return traffic from your server through the correct ISP from where the initial connection came from. Again this is a situation which I dont run into in my job as we dont handle Dual ISP setups directly on an ASA.

- Jouni

0 Helpful

mingram27
Level 1
Level 1
In response to Jouni Forss

‎04-02-2013 08:56 AM

So you say that on the Secondary ISP interface you can only see  connections coming to the interface IP address of the ASA but no other  Static NAT or Static PAT works on that interface?

Ans) Yes. No other Static mapping shows up in the logs

Have you tried changing the Secondary ISP interface to some other IP address from the same subnet and seen if it still works?

Ans) I have not, but all this would do is configure the Eth with IP does not really address why other IP are not being translated internally. Will try it though.

Have you by any chance configured "sysopt noproxyarp FIOS"?

Ans) I will look up this command, but how relative is this command. Never had to use it

If  you have this could mean that the ASA wouldnt answer to the Secondary  ISPs ARP request for any of other public IPs used in the Static NAT /  Static PAT statements. The "FIOS" interface would still be working since  its configured to an actual physical ASA interface. Or that is my  understanding atleast.

Ans) Good point. Will check

I  am kinda wondering the routing setup also. Mainly because you cant have  2 default routes active at the same time. But if the connections are  iniatiated from the Internet through the different ISP, its my  understanding that in this case the ASA should be able to forward the  return traffic from your server through the correct ISP from where the  initial connection came from. Again this is a situation which I dont run  into in my job as we dont handle Dual ISP setups directly on an ASA.

Ans) The routing is very simple. 2 static routes with different AD's Primary out = Secondary = AD-1. Secondary out = AD-250. Inbound rules and destinations to internal resources are enabled for both ISP's and DNS records primarily point to Primary ISP's.

Basic setup but not very basic results.

Thank you

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to mingram27

‎04-02-2013 09:06 AM

With configuring the Secondary ISP interface "FIOS" with another IP from the same public subnet I was thinking the possiblity of confirming that the ISP has everything configured on their part. Checking if the other public IPs from the same public subnet work at all.

But if you have configured Static NAT / Static PAT configurations on the Secondary ISP "FIOS" and have tried to connect to those IP address from the Internet and seen no increase in the "hitcount" of the ACL rules then it would seem that might might be something wrong with the routing on the ISP side.

If you have not configured the "sysopt noproxyarp FIOS" then everything should be ok regarding that. If on the other hand you see this in your configuration then it might be causing problems I mentioned above.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card