Solved: Re: Using multiple outside interface on ASA 5520

sk2317 · ‎08-23-2010

Hi Moderator,

I have the following query with regards to Firewall.

1) Will global nat forward the traffic to respective gateways of ISP i.e Global ID 13, should always forward to 100.X.X.X and 14 should 200.X.X.X through default route.

2) In the event of primary internet goes down, what are the challenges ? assuming i have ISP independent public IP pool.

Thanks in advance.

S Kumar

*********Config START************************************

interface Gi0/0
description Primary Internet
nameif outside
security-level 0
ip address 100.X.X.X 255.255.255.0
!
interface Gi0/1
description Secondary Internet
nameif outside-2
security-level 0
ip address 200.X.X.X 255.255.255.0

!
interface Gi0/2
description Corporate network
nameif INSIDE
security-level 100
ip address 10.10.10.1 255.255.255.0

route inside 10.10.20.0 255.255.255.0 10.10.10.10 1
route inside 10.10.30.0 255.255.255.0 10.10.10.10 1

!
global (outside) 13 100.X.X.X
global (outside) 14 200.X.X.X

nat (inside) 13 10.10.20.0 255.255.255.0
nat (inside) 14 10.10.30.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.X.X.X
route outside 0.0.0.0 0.0.0.0 200.X.X.X
************Config-END*********************************

Kureli Sankar · ‎08-23-2010

Kumar,

You can use any IP address on the ASA to translate. An interface doesn't have to be configued on the ASA to be able to use the IP block for translation. You can just use a private ip subnet between the ASA and the Router.

Like I discussed on that previous thread, you can use ISP1 block one for all dynamic nat translations and use ISP2 block IP for all static nat translations - all on the ASA. Then the router will look at the packet if it has source address provided by ISP1 (after translation from the ASA) then it will send the packet via ISP1 link and if the packets have the source address of ISP2 (after translation from the ASA) provided address then it will send the packets via ISP2 link. This can be configued using PBR - route maps and setting the next hop on the router.

-KS

View solution in original post

Kureli Sankar · ‎08-24-2010

So long as the router can translate the ASA's outside interface statically (1-1) to a routable address, I don't see why not.

-KS

View solution in original post

Kureli Sankar · ‎08-23-2010

Kumar,

I believe you meant

route outside-2 0.0.0.0 0.0.0.0 200.X.X.X and not route outside 0.0.0.0 0.0.0.0 200.X.X.X

In either case the ASA can only load balance up to 3 default GW out the SAME interface not out diff. interfaces.

You need to do PBR (Policy Based Routing) using a Layer 3 device on the outside.

Pls. read this thread where I have answered this in the past: https://supportforums.cisco.com/message/894920

You can also do SLA route tracking: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

-KS

sk2317 · ‎08-23-2010

Hi Kusankar,

Thanks for your reply and correction as follow.

route outside-2 0.0.0.0 0.0.0.0 200.X.X.X

I would like to load balance outbound traffic based on Global nat.

I.e Few vlans would use global nat 13 to forward traffic to OUTSIDE (interface)

and remaining vlan would use global nat 14 to forward traffic to OUTSIDE-2 (interface)

In the event of outage at primary ISP, both Global nat 13 and 14 should use the OUTSIDE-2 (interface)

Would this workout practically ?

Thanks

Kumar

Kureli Sankar · ‎08-23-2010

Yes, only in the scenario that I mentioned on the thread link that I enclosed. Pls. read that. You cannot add two default routes on the ASA pointing to two diff. interface. It does not work.

Outside

/

inside---ASA---Rourter/

| \

DMZ \

Outside-2

-KS

sk2317 · ‎08-23-2010

Thanks kusankar,

Since i have two different public pool, how will it accomadate two IP network between ASA <-----to------> Router ?

As, asa does not seems to support sub-interface, or secondary command.

Thanks,

Kumar

Kureli Sankar · ‎08-23-2010

Kumar,

You can use any IP address on the ASA to translate. An interface doesn't have to be configued on the ASA to be able to use the IP block for translation. You can just use a private ip subnet between the ASA and the Router.

Like I discussed on that previous thread, you can use ISP1 block one for all dynamic nat translations and use ISP2 block IP for all static nat translations - all on the ASA. Then the router will look at the packet if it has source address provided by ISP1 (after translation from the ASA) then it will send the packet via ISP1 link and if the packets have the source address of ISP2 (after translation from the ASA) provided address then it will send the packets via ISP2 link. This can be configued using PBR - route maps and setting the next hop on the router.

-KS

sk2317 · ‎08-23-2010

Hi Kusankar,

As said, having configured private IP between ASA and Router, Will i be able to terminate Site to Site VPN or Remote VPN on ASA ?

Thanks,

Kumar.

Kureli Sankar · ‎08-24-2010

So long as the router can translate the ASA's outside interface statically (1-1) to a routable address, I don't see why not.

-KS

Kan2 · ‎10-05-2017

Hi ,

I am plaiing to do the Primary and Backup setup on ASA , how the when primary fail over to backup

what will happen to all NAT config

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static FR-abc-company-Network FR-abc-company-Network destination static BE-abc-company-Network BE-abc-company-Network no-proxy-arp route-lookup
2 (inside) to (outside) source static FR-abc-company-Network FR-abc-company-Network destination static US-abc-company-Network US-abc-company-Network no-proxy-arp route-lookup
4 (inside) to (outside) source static FR-abc-company-Network FR-abc-company-Network destination static SG-abc-company-Network SG-abc-company-Network no-proxy-arp route-lookup

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-10.22.0.99 178.132.22.10
2 (Guest) to (outside) source dynamic Guest-Network interface
3 (inside) to (outside) source dynamic obj_any interface

Do I need to created another setup of Manual and Auto NAT rules for "backup" outside interface

Manual NAT Policies (Section 1)
1 (inside) to (backup) source static FR-abc-company-Network FR-abc-company-Network destination static BE-abc-company-Network BE-abc-company-Network no-proxy-arp route-lookup
2 (inside) to (backup) source static FR-abc-company-Network FR-abc-company-Network destination static US-abc-company-Network US-abc-company-Network no-proxy-arp route-lookup
4 (inside) to (backup) source static FR-abc-company-Network FR-abc-company-Network destination static SG-abc-company-Network SG-abc-company-Network no-proxy-arp route-lookup

Auto NAT Policies (Section 2)
1 (inside) to (backup) source static obj-10.22.0.99 192.135.20.10
2 (Guest) to (backup) source dynamic Guest-Network interface
3 (inside) to (backup) source dynamic obj_any interface

Elopower123 · ‎12-06-2018

Hi, I'm Joseph. I'm using an ASA5540 firewall router to Connect my LAN to my ISP, the LAN is on the inside interface of the router while the ISP is on the outside interface. From my LAN I can ping the inside interface but I can't ping the outside interface. Apparently two distant interfaces on a CISCO asa router cannot by default communicate with each other, so I'm looking for a way to link the two interfaces. Any help will be greatly appreciated. Thanks.