04-24-2012 11:20 AM - edited 03-04-2019 04:08 PM
I am trying to configure dual ISP on my ASA5505 (Security Plus license). I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic. The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router.
Here is my show route output when eth0/0 is connected:
Gateway of last resort is 172.16.1.254 to network 0.0.0.0
C 172.16.1.0 255.255.255.0 is directly connected, primaryisp
C 192.168.5.0 255.255.255.0 is directly connected, inside
C 10.10.10.0 255.255.255.0 is directly connected, backupisp
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.254, primaryisp
Here is my show route output when eth0/0 is disconnected:
Gateway of last resort is 10.10.10.254 to network 0.0.0.0
C 192.168.5.0 255.255.255.0 is directly connected, inside
C 10.10.10.0 255.255.255.0 is directly connected, backupisp
S* 0.0.0.0 0.0.0.0 [10/0] via 10.10.10.254, backupisp
Here is my config:
nysyrsbo-asa(config)# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname nysyrsbo-asa
names
!
interface Vlan2
nameif primaryisp
security-level 0
ip address 172.16.1.25 255.255.255.0
!
interface Vlan3
nameif backupisp
security-level 1
ip address 10.10.10.25 255.255.255.0
!
interface Vlan5
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network asp-wss-1
host 192.168.5.11
object network inside-network
subnet 192.168.5.0 255.255.255.0
object network inside-network2
subnet 192.168.5.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object asp-wss-1
access-list primaryisp_access_in extended permit object-group DM_INLINE_SERVICE_3 any object asp-wss-1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu primaryisp 1500
mtu backupisp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside-network
nat (any,any) static 172.16.1.0
object network inside-network2
nat (any,any) static 10.10.10.0
access-group inside_access_in in interface inside
route primaryisp 0.0.0.0 0.0.0.0 172.16.1.0 1 track 1
route backupisp 0.0.0.0 0.0.0.0 10.10.10.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp
threshold 3000
frequency 10
sla monitor schedule 123 life forever start-time now
!
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:463245607bf3c6a3de823be0c5aa4b68
: end
04-24-2012 12:23 PM
Hi,
I was wondering if -
Global command is required in this for natting the traffic to WAN interfaces.
Regards,
Pawan Sharma
04-24-2012 04:32 PM
I'm not sure if I need a global command or not. I thought the 2 nat commands wold take care of everything. Anyone else have any ideas??
Sent from Cisco Technical Support iPad App
04-24-2012 06:17 PM
No 'global' commands in 8.3 and above. Change the backup isp security level to 0 as well. Try by removing...
object network inside-network2
add: nat (any,any) static 10.10.10.0 under the primary nat.
object network inside-network
nat (any,any) static 172.16.1.0
nat (any,any) static 10.10.10.0
Check if that works.
Thx
MS
04-24-2012 06:22 PM
Will try that in the morning. Thanks for the help.
Sent from Cisco Technical Support iPad App
04-25-2012 04:51 AM
So I tried this but it doesn't let me put 2 nat rules under the same nat object. When I type "
nat (any,any) static 10.10.10.0" it accepts it, but it replaces the
"nat (any,any) static 172.16.1.0". Any other ideas??
04-25-2012 06:04 AM
So the problem is definitely the nat rules... when the failover happens, if I manually change the nat rule from "nat (inside,primaryisp) static primaryisp-network" to "nat (inside,backupisp) static backupisp-network" then traffic begins flowing just fine. Is there maybe something with route-maps that I'm missing??
EDIT: Looks like I figured it out.... I removed the nat commands from the inside-network object and instead used:
nat (inside,primary-isp) source dynamic any interface
nat (inside,secondary-isp) source dynamic any interface
Looks like this is working. Thanks for the help.
04-25-2012 12:28 PM
Glad to hear you figured this one out. Thanks for the update and rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide