- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: Assistance with DMVPN through FTD with two internet connections
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 09:52 AM
Hello. We have a remote site with a 5506-X FTD. We utilize a DMVPN GRE tunnel back to our main HQ through a Cisco 4331 router one hop behind the FTD. Our primary internet is somewhat unreliable, so we've added a secondary internet connection via a Cisco 800 series router with Verizon LTE service to our 5506 FTD. We are using metrics on the FTD for the default route, with an SLA on each path.
Wondering if there is a way to have the DMVPN GRE tunnel on our 4331 dynamically switch to the secondary internet connection, in the event the first one goes down? Right now I think NAT on the FTD is our biggest hurdle. When the primary internet goes down, any traffic from our Cisco 4331 would then start going out our secondary internet connection, via a new Public from the secondary. On the FTD would we just add NAT rules under our existing rules? Current rules are security zone based (Screenshot attached). I believe we would need to manually clear the Crypto at our HQ for the tunnel, but we would be okay with that. Also attached a simple diagram to help illustrate.
Solved! Go to Solution.
- Labels:
-
ISR 4000 Series
-
Other Routing
-
WAN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 01:35 PM
Hello,
I have made some changes to your configuration (marked in bold). You don't need two IP SLAs, just one is sufficient. The EEM scripts adds and removes the NAT statements based on which interface is active, and clear all existing NAT translations. What you do with the two routers at the head end depends on how they are connected.
> show running-config
: Saved
:
: Serial Number: XXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
NGFW Version 6.2.2.5
!
hostname firepower
enable password XXXX
names
!
interface GigabitEthernet1/1 <-----Internet connection 1 (primary)
description LTD Broadband - No Circuit ID
nameif WAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface GigabitEthernet1/2 <-----LAN to router
description ms-romn-mpls-rt01_gi0/2
nameif LAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.28.3.1 255.255.255.248
!
interface GigabitEthernet1/3 <-----Internet connection 2 (secondary)
description Verizon Cell
speed 100
duplex full
nameif WAN2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.10.51.2 255.255.255.252
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif InlineA-RouterSide
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
!
interface GigabitEthernet1/8
nameif InlineB-SwitchSide
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.29.3.3 255.255.255.0
!
inline-set MAN-InspectionPair
snort fail-open busy down
interface-pair InlineA-RouterSide InlineB-SwitchSide
boot system disk0:/os.img
ftp mode passive
ngips conn-match vlan-id
object network Remote-Data-Nets
subnet 172.29.0.0 255.255.0.0
object network Remote-DMZ-Nets
subnet 172.28.0.0 255.255.0.0
object network Remote-Voice-Nets
subnet 172.30.0.0 255.255.0.0
object service emptyDMVPN-GRE
service udp destination eq isakmp
object service emptyDMVPN-IPSEC
service udp destination eq 4500
object network MS-Postage
host 172.29.3.15
description C200 pitney bowes machine
object network ms-romn-mpls-rt01
host 172.29.3.1
object network GuestDNSServer
host X.X.X.X
object network DR-DMVPN-RTR
host X.X.X.X
object network HQ-DMVPN-RTR
host X.X.X.X
object network HQ-WirelessMgmt
subnet 172.17.39.0 255.255.255.0
object network HQ-Data1
range 172.17.4.1 172.17.6.254
object network HQ-Data2
range 172.17.12.0 172.17.14.254
object network Corp-Wireless
subnet 172.17.9.0 255.255.255.0
description Spans both HQ and DR
object network HQDC-DynamicServers
subnet 172.17.97.0 255.255.255.0
description DHCP managed network for servers.
object network HQDC-WindowsServers
subnet 172.17.99.0 255.255.255.0
object network HQDC-LinuxServers
subnet 172.17.98.0 255.255.255.0
object network Guest-Wireless
subnet 192.168.204.0 255.255.252.0
object network HQDC-MGMT
subnet 172.17.69.0 255.255.255.0
object network HQDC-WEBDMZ
subnet 192.168.200.0 255.255.255.0
object network HQDC-SAN
subnet 172.17.93.0 255.255.255.0
object network HQDC-Servers-Net
subnet 172.16.1.0 255.255.255.0
description Misc Servers
object network HQ-Voice1
subnet 172.17.11.0 255.255.255.0
object network HQ-Voice2
range 172.17.15.0 172.17.19.254
object network HQ-DriverDMZ
subnet 172.17.25.0 255.255.255.0
object network DR-Voice3
subnet 172.18.31.0 255.255.255.0
object network DR-Voice2
subnet 172.18.21.0 255.255.255.0
object network DR-Voice1
subnet 172.18.11.0 255.255.255.0
object network DR-Security
subnet 172.18.51.0 255.255.255.0
object network DR-VideoConf
subnet 172.18.50.0 255.255.255.0
object network DR-Data2
subnet 172.18.20.0 255.255.255.0
object network DR-Data1
subnet 172.18.10.0 255.255.255.0
object network DR-Printers
subnet 172.18.40.0 255.255.255.0
object network DR-Data3
subnet 172.18.30.0 255.255.255.0
object network DR-HVAC
subnet 172.18.52.0 255.255.255.0
object network DRDC-WindowsServers
subnet 172.18.99.0 255.255.255.0
object network DRDC-LinuxServers
subnet 172.18.98.0 255.255.255.0
object network DRDC-Management
subnet 172.18.69.0 255.255.255.0
object network at-grsc-guest-net
subnet 172.31.16.0 255.255.255.0
object network Remote-Guest-Nets
subnet 172.31.0.0 255.255.0.0
object network ms-romn-guest_wan
host 1.2.3.4
object-group service FTP tcp
port-object eq ftp
object-group service HTTPS tcp
port-object eq https
object-group service HTTP tcp
port-object eq www
object-group service ICMP_any
service-object icmp
object-group service DNS_over_TCP tcp
port-object eq domain
object-group service DNS_over_UDP udp
port-object eq domain
object-group service DMVPN-IPSEC udp
port-object eq 4500
object-group service DMVPN-GRE udp
port-object eq isakmp
object-group service SSH tcp
port-object eq ssh
object-group network FMC_INLINE_src_rule_268439558
description Auto Generated by FMC from src of UnifiedNGFWRule# 3 (Remote Sites Access Control/default)
network-object object DR-DMVPN-RTR
network-object object HQ-DMVPN-RTR
object-group network HQ-Data-ALL
network-object object HQ-Data1
network-object object HQ-Data2
network-object object Corp-Wireless
object-group network HQ-Voice-All
network-object object HQ-Voice1
network-object object HQ-Voice2
object-group network HQ-ALL
description All HQ Networks
network-object object HQ-WirelessMgmt
group-object HQ-Data-ALL
network-object object HQDC-DynamicServers
network-object object HQDC-WindowsServers
network-object object HQDC-LinuxServers
network-object object Guest-Wireless
network-object object HQDC-MGMT
network-object object HQDC-WEBDMZ
network-object object HQDC-SAN
network-object object HQDC-Servers-Net
group-object HQ-Voice-All
network-object object HQ-DriverDMZ
object-group network DR-Voice-ALL
network-object object DR-Voice3
network-object object DR-Voice2
network-object object DR-Voice1
object-group network DR-Data-ALL
network-object object DR-Data2
network-object object DR-Data1
network-object object Corp-Wireless
network-object object DR-Printers
network-object object DR-Data3
object-group network DR-Endpoints-ALL
group-object DR-Voice-ALL
network-object object DR-Security
network-object object Guest-Wireless
network-object object DR-VideoConf
network-object object Corp-Wireless
group-object DR-Data-ALL
network-object object DR-HVAC
object-group network DRDC-Servers-ALL
network-object object DRDC-WindowsServers
network-object object DRDC-LinuxServers
network-object object DRDC-Management
object-group network DR-ALL
group-object DR-Endpoints-ALL
group-object DRDC-Servers-ALL
object-group network FMC_INLINE_dst_rule_268440576
description Auto Generated by FMC from dst of UnifiedNGFWRule# 8 (Remote Sites Access Control/default)
group-object HQ-ALL
group-object DR-ALL
object-group network FMC_INLINE_src_rule_268440577
description Auto Generated by FMC from src of UnifiedNGFWRule# 9 (Remote Sites Access Control/default)
group-object HQ-ALL
group-object DR-ALL
object-group service TCP_UDP_40950-41950 tcp-udp
port-object range 40950 41950
object-group service NTP-UDP udp
port-object eq ntp
object-group service UDP_1294 udp
port-object eq 1294
object-group network IPv4-Private-All-RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service Lytx tcp
port-object eq 6263
object-group network FMC_INLINE_dst_rule_268448868
description Auto Generated by FMC from dst of UnifiedNGFWRule# 4 (Remote Sites Access Control/default)
network-object object DR-DMVPN-RTR
network-object object HQ-DMVPN-RTR
access-list CSM_FW_ACL_ remark rule-id 268439563: PREFILTER POLICY: Remote Sites Prefilter
access-list CSM_FW_ACL_ remark rule-id 268439563: RULE: Allow DNS
access-list CSM_FW_ACL_ advanced trust udp ifc LAN any ifc WAN object GuestDNSServer object-group DNS_over_UDP rule-id 268439563 event-log both
access-list CSM_FW_ACL_ remark rule-id 268437506: PREFILTER POLICY: Remote Sites Prefilter
access-list CSM_FW_ACL_ remark rule-id 268437506: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 268437506
access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 268437506
access-list CSM_FW_ACL_ advanced permit gre any any rule-id 268437506
access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 268437506
access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 268437506
access-list CSM_FW_ACL_ remark rule-id 268439571: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439571: L7 RULE: Block-Blacklisted-Traffic
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268439571
access-list CSM_FW_ACL_ remark rule-id 268448848: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268448848: L4 RULE: Manual Block List Outbound
access-list CSM_FW_ACL_ advanced deny ip ifc LAN any ifc WAN object-group Manual-Blacklist-For-Access-Policies rule-id 268448848 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268448849: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268448849: L4 RULE: Manual Block List Inbound
access-list CSM_FW_ACL_ advanced deny ip ifc WAN object-group Manual-Blacklist-For-Access-Policies ifc LAN any rule-id 268448849 event-log flow-start
access-list CSM_FW_ACL_ advanced permit object-group ICMP_any any any rule-id 268437504
access-list CSM_FW_ACL_ remark rule-id 268439555: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439555: L7 RULE: Inline Inspection Outbound
access-list CSM_FW_ACL_ advanced permit ip ifc InlineB-SwitchSide any ifc InlineA-RouterSide any rule-id 268439555
access-list CSM_FW_ACL_ remark rule-id 268439556: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439556: L7 RULE: Inline Inspection Inbound
access-list CSM_FW_ACL_ advanced permit ip ifc InlineA-RouterSide any ifc InlineB-SwitchSide any rule-id 268439556
access-list CSM_FW_ACL_ remark rule-id 268439562: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268439562: L7 RULE: Allow DNS for Guest Wireless
access-list CSM_FW_ACL_ advanced permit tcp any host X.X.X.X object-group DNS_over_TCP rule-id 268439562
access-list CSM_FW_ACL_ advanced permit udp any host X.X.X.X object-group DNS_over_UDP rule-id 268439562
access-list CSM_FW_ACL_ remark rule-id 268448796: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268448796: L7 RULE: Lytx access
access-list CSM_FW_ACL_ advanced permit tcp object Remote-Data-Nets any object-group Lytx rule-id 268448796
access-list CSM_FW_ACL_ remark rule-id 268439558: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268439558: L7 RULE: Allow DMVPN Inbound
access-list CSM_FW_ACL_ advanced permit udp ifc WAN object-group FMC_INLINE_src_rule_268439558 ifc LAN object Remote-Data-Nets object-group DMVPN-GRE rule-id 268439558
access-list CSM_FW_ACL_ advanced permit udp ifc WAN object-group FMC_INLINE_src_rule_268439558 ifc LAN object Remote-Data-Nets object-group DMVPN-IPSEC rule-id 268439558
access-list CSM_FW_ACL_ remark rule-id 268448868: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268448868: L7 RULE: Allow DMVPN Outbound
access-list CSM_FW_ACL_ advanced permit udp ifc LAN object Remote-Data-Nets ifc WAN object-group FMC_INLINE_dst_rule_268448868 object-group DMVPN-GRE rule-id 268448868
access-list CSM_FW_ACL_ advanced permit udp ifc LAN object Remote-Data-Nets ifc WAN object-group FMC_INLINE_dst_rule_268448868 object-group DMVPN-IPSEC rule-id 268448868
access-list CSM_FW_ACL_ remark rule-id 268437505: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268437505: L7 RULE: Allow Web Traffic to Friendies
access-list CSM_FW_ACL_ advanced permit tcp any any object-group FTP rule-id 268437505
access-list CSM_FW_ACL_ advanced permit tcp any any object-group HTTP rule-id 268437505
access-list CSM_FW_ACL_ advanced permit tcp any any object-group HTTPS rule-id 268437505
access-list CSM_FW_ACL_ remark rule-id 268439557: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268439557: L7 RULE: Allow DNS for Pitney Bowes
access-list CSM_FW_ACL_ advanced permit tcp object MS-Postage any4 object-group DNS_over_TCP rule-id 268439557
access-list CSM_FW_ACL_ advanced permit udp object MS-Postage any4 object-group DNS_over_UDP rule-id 268439557
access-list CSM_FW_ACL_ remark rule-id 268441602: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268441602: L7 RULE: Greenville Cameras
access-list CSM_FW_ACL_ advanced permit tcp object at-grsc-guest-net ifc WAN any object-group TCP_UDP_40950-41950 rule-id 268441602
access-list CSM_FW_ACL_ advanced permit udp object at-grsc-guest-net ifc WAN any object-group TCP_UDP_40950-41950 rule-id 268441602
access-list CSM_FW_ACL_ advanced permit udp object at-grsc-guest-net ifc WAN any object-group UDP_1294 rule-id 268441602
access-list CSM_FW_ACL_ advanced permit udp object at-grsc-guest-net ifc WAN any object-group NTP-UDP rule-id 268441602
access-list CSM_FW_ACL_ remark rule-id 268440576: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268440576: L7 RULE: Allow Outbound to HQ and DR
access-list CSM_FW_ACL_ advanced permit ip object Remote-Data-Nets object-group FMC_INLINE_dst_rule_268440576 rule-id 268440576
access-list CSM_FW_ACL_ remark rule-id 268440577: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268440577: L7 RULE: Allow HQ and DR Inbound
access-list CSM_FW_ACL_ advanced permit ip object-group FMC_INLINE_src_rule_268440577 object Remote-Data-Nets rule-id 268440577
access-list CSM_FW_ACL_ remark rule-id 268443648: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268443648: L7 RULE: Allow Freightliner DDL8
access-list CSM_FW_ACL_ advanced permit tcp object-group IPv4-Private-All-RFC1918 any eq 48481 rule-id 268443648
access-list CSM_FW_ACL_ remark rule-id 268449810: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268449810: L7 RULE: Rochester SSH to Cell
access-list CSM_FW_ACL_ advanced permit tcp object ms-romn-mpls-rt01 host 10.10.51.1 object-group SSH rule-id 268449810
access-list CSM_FW_ACL_ remark rule-id 268436480: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268436480: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268436480 event-log flow-start
no pager
logging enable
logging list MANAGER_VPN_EVENT_LIST level errors class auth
logging list MANAGER_VPN_EVENT_LIST level errors class vpn
logging list MANAGER_VPN_EVENT_LIST level errors class vpnc
logging list MANAGER_VPN_EVENT_LIST level errors class vpnfo
logging list MANAGER_VPN_EVENT_LIST level errors class vpnlb
logging list MANAGER_VPN_EVENT_LIST level errors class webfo
logging list MANAGER_VPN_EVENT_LIST level errors class webvpn
logging list MANAGER_VPN_EVENT_LIST level errors class ca
logging list MANAGER_VPN_EVENT_LIST level errors class svc
logging list MANAGER_VPN_EVENT_LIST level errors class ssl
logging list MANAGER_VPN_EVENT_LIST level errors class dap
logging list MANAGER_VPN_EVENT_LIST level errors class ipaa
logging trap notifications
logging fmc MANAGER_VPN_EVENT_LIST
logging host LAN 172.16.1.166
logging flash-minimum-free 1024
logging flash-maximum-allocation 3076
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination diagnostic 172.16.1.166 2055
mtu WAN 1500
mtu LAN 1500
mtu WAN2 1500
mtu InlineA-RouterSide 1500
mtu InlineB-SwitchSide 1500
mtu diagnostic 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any LAN
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (WAN,LAN) source static any any destination static interface ms-romn-mpls-rt01 service emptyDMVPN-GRE emptyDMVPN-GRE
nat (WAN,LAN) source static any any destination static interface ms-romn-mpls-rt01 service emptyDMVPN-IPSEC emptyDMVPN-IPSEC
!
object network Remote-Data-Nets
nat (LAN,WAN) dynamic interface dns
object network Remote-DMZ-Nets
nat (LAN,WAN) dynamic interface
object network Remote-Voice-Nets
nat (LAN,WAN) dynamic interface
object network Remote-Guest-Nets
nat (LAN,WAN) dynamic ms-romn-guest_wan
access-group CSM_FW_ACL_ global
route WAN 0.0.0.0 0.0.0.0 1.2.3.4 1 track 1
route WAN2 0.0.0.0 0.0.0.0 10.10.51.1 254
route diagnostic 0.0.0.0 0.0.0.0 172.29.3.1 1
route LAN 10.0.0.0 255.0.0.0 172.28.3.2 1
route LAN 172.16.0.0 255.240.0.0 172.28.3.2 1
route LAN 192.168.0.0 255.255.0.0 172.28.3.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:00:30
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa proxy-limit disable
aaa authentication login-history
snmp-server host diagnostic 172.16.1.166 poll community ***** version 2c
snmp-server host diagnostic 172.17.99.148 poll community ***** version 2c
snmp-server host diagnostic 172.17.14.151 poll community ***** version 2c
snmp-server host diagnostic 172.17.99.94 poll community ***** version 2c
snmp-server location St Cloud
snmp-server contact ATS HelpDesk
snmp-server community *****
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface WAN
num-packets 3
timeout 2000
threshold 500
frequency 30
sla monitor schedule 10 life forever start-time now
!
no service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
track 1 rtr 1 reachability
!
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 LAN
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
flow-export event-type all destination 172.16.1.166
policy-map policy_map_LAN
match flow-rule qos 268439568
police input 5000000 156250
police output 7000000 218750
match flow-rule qos 268439569
police input 25000000 781250
!
service-policy global_policy global
service-policy policy_map_LAN interface LAN
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
!
event manager applet WAN_FAILOVER_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "object network Remote-Data-Nets"
action 2.1 cli command "no nat (LAN,WAN2) dynamic interface dns"
action 2.2 cli command "exit"
action 2.3 cli command "object network Remote-DMZ-Nets"
action 2.4 cli command "no nat (LAN,WAN2) dynamic interface"
action 2.5 cli command "exit"
action 2.6 cli command "object network Remote-Voice-Nets"
action 2.7 cli command "no nat (LAN,WAN2) dynamic interface"
action 2.8 cli command "exit"
action 2.9 cli command "object network Remote-Guest-Nets"
action 3.0 cli command "no nat (LAN,WAN2) dynamic ms-romn-guest_wan"
action 3.1 cli command "object network Remote-Data-Nets"
action 3.2 cli command "nat (LAN,WAN) dynamic interface dns"
action 3.3 cli command "exit"
action 3.4 cli command "object network Remote-DMZ-Nets"
action 3.5 cli command "nat (LAN,WAN) dynamic interface"
action 3.5 cli command "exit"
action 3.6 cli command "object network Remote-Voice-Nets"
action 3.7 cli command "nat (LAN,WAN) dynamic interface"
action 3.8 cli command "exit"
action 3.9 cli command "object network Remote-Guest-Nets"
action 4.0 cli command "nat (LAN,WAN) dynamic ms-romn-guest_wan"
action 4.1 cli command "clear xlate"
!
event manager applet WAN_FAILOVER_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "object network Remote-Data-Nets"
action 2.1 cli command "no nat (LAN,WAN) dynamic interface dns"
action 2.2 cli command "exit"
action 2.3 cli command "object network Remote-DMZ-Nets"
action 2.4 cli command "no nat (LAN,WAN) dynamic interface"
action 2.5 cli command "exit"
action 2.6 cli command "object network Remote-Voice-Nets"
action 2.7 cli command "no nat (LAN,WAN) dynamic interface"
action 2.8 cli command "exit"
action 2.9 cli command "object network Remote-Guest-Nets"
action 3.0 cli command "no nat (LAN,WAN) dynamic ms-romn-guest_wan"
action 3.1 cli command "object network Remote-Data-Nets"
action 3.2 cli command "nat (LAN,WAN2) dynamic interface dns"
action 3.3 cli command "exit"
action 3.4 cli command "object network Remote-DMZ-Nets"
action 3.5 cli command "nat (LAN,WAN2) dynamic interface"
action 3.5 cli command "exit"
action 3.6 cli command "object network Remote-Voice-Nets"
action 3.7 cli command "nat (LAN,WAN2) dynamic interface"
action 3.8 cli command "exit"
action 3.9 cli command "object network Remote-Guest-Nets"
action 4.0 cli command "nat (LAN,WAN2) dynamic ms-romn-guest_wan"
action 4.1 cli command "clear xlate"
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 11:51 AM
Hello,
you could use EEM scripts to automate the failover. Post the full configs of the ASA and both routers. Make sure the interfaces have descriptions indicating which interface are connected to what...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 11:53 AM
EEM Scripts on the FTD? There is only one Ethernet connection from the router to FTD, over one subnet. The default route of the router points to the FTD LAN interface at this time. I can still post the configs though shortly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 12:12 PM
Hello,
sorry if I misunderstood the original post, I thought you mentioned an ASA at the remote location...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 12:14 PM - edited 01-29-2020 12:15 PM
Attached is running config of FTD and Router. I added notes on interface with "<-----" then a description.
On the router port Gi0/2/0 is physically connected to FTD using 172.28.3.0/29 subnet. Router is .2, FTD is .1. The default route on the router points to the .1 on FTD. Also the DMVPN tunnel (interface tunnel0) on the router is using source Port-Channel1.1 for the DMVPN connection outbound (172.29.3.1).
Basically we want to setup the FTD to take that 172.29.3.1 and nat it out the WAN 1 interface (like it does) until WAN 1 internet goes down, then NAT that 172.29.3.1 out WAN 2 (secondary internet).
There are port-channels in use because we have inline inspection setup between the router and FTD, with a redundant connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 12:52 PM
Hello,
thanks for the configs. I'll try to come up with something...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 01:35 PM
Hello,
I have made some changes to your configuration (marked in bold). You don't need two IP SLAs, just one is sufficient. The EEM scripts adds and removes the NAT statements based on which interface is active, and clear all existing NAT translations. What you do with the two routers at the head end depends on how they are connected.
> show running-config
: Saved
:
: Serial Number: XXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
NGFW Version 6.2.2.5
!
hostname firepower
enable password XXXX
names
!
interface GigabitEthernet1/1 <-----Internet connection 1 (primary)
description LTD Broadband - No Circuit ID
nameif WAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface GigabitEthernet1/2 <-----LAN to router
description ms-romn-mpls-rt01_gi0/2
nameif LAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.28.3.1 255.255.255.248
!
interface GigabitEthernet1/3 <-----Internet connection 2 (secondary)
description Verizon Cell
speed 100
duplex full
nameif WAN2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.10.51.2 255.255.255.252
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif InlineA-RouterSide
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
!
interface GigabitEthernet1/8
nameif InlineB-SwitchSide
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.29.3.3 255.255.255.0
!
inline-set MAN-InspectionPair
snort fail-open busy down
interface-pair InlineA-RouterSide InlineB-SwitchSide
boot system disk0:/os.img
ftp mode passive
ngips conn-match vlan-id
object network Remote-Data-Nets
subnet 172.29.0.0 255.255.0.0
object network Remote-DMZ-Nets
subnet 172.28.0.0 255.255.0.0
object network Remote-Voice-Nets
subnet 172.30.0.0 255.255.0.0
object service emptyDMVPN-GRE
service udp destination eq isakmp
object service emptyDMVPN-IPSEC
service udp destination eq 4500
object network MS-Postage
host 172.29.3.15
description C200 pitney bowes machine
object network ms-romn-mpls-rt01
host 172.29.3.1
object network GuestDNSServer
host X.X.X.X
object network DR-DMVPN-RTR
host X.X.X.X
object network HQ-DMVPN-RTR
host X.X.X.X
object network HQ-WirelessMgmt
subnet 172.17.39.0 255.255.255.0
object network HQ-Data1
range 172.17.4.1 172.17.6.254
object network HQ-Data2
range 172.17.12.0 172.17.14.254
object network Corp-Wireless
subnet 172.17.9.0 255.255.255.0
description Spans both HQ and DR
object network HQDC-DynamicServers
subnet 172.17.97.0 255.255.255.0
description DHCP managed network for servers.
object network HQDC-WindowsServers
subnet 172.17.99.0 255.255.255.0
object network HQDC-LinuxServers
subnet 172.17.98.0 255.255.255.0
object network Guest-Wireless
subnet 192.168.204.0 255.255.252.0
object network HQDC-MGMT
subnet 172.17.69.0 255.255.255.0
object network HQDC-WEBDMZ
subnet 192.168.200.0 255.255.255.0
object network HQDC-SAN
subnet 172.17.93.0 255.255.255.0
object network HQDC-Servers-Net
subnet 172.16.1.0 255.255.255.0
description Misc Servers
object network HQ-Voice1
subnet 172.17.11.0 255.255.255.0
object network HQ-Voice2
range 172.17.15.0 172.17.19.254
object network HQ-DriverDMZ
subnet 172.17.25.0 255.255.255.0
object network DR-Voice3
subnet 172.18.31.0 255.255.255.0
object network DR-Voice2
subnet 172.18.21.0 255.255.255.0
object network DR-Voice1
subnet 172.18.11.0 255.255.255.0
object network DR-Security
subnet 172.18.51.0 255.255.255.0
object network DR-VideoConf
subnet 172.18.50.0 255.255.255.0
object network DR-Data2
subnet 172.18.20.0 255.255.255.0
object network DR-Data1
subnet 172.18.10.0 255.255.255.0
object network DR-Printers
subnet 172.18.40.0 255.255.255.0
object network DR-Data3
subnet 172.18.30.0 255.255.255.0
object network DR-HVAC
subnet 172.18.52.0 255.255.255.0
object network DRDC-WindowsServers
subnet 172.18.99.0 255.255.255.0
object network DRDC-LinuxServers
subnet 172.18.98.0 255.255.255.0
object network DRDC-Management
subnet 172.18.69.0 255.255.255.0
object network at-grsc-guest-net
subnet 172.31.16.0 255.255.255.0
object network Remote-Guest-Nets
subnet 172.31.0.0 255.255.0.0
object network ms-romn-guest_wan
host 1.2.3.4
object-group service FTP tcp
port-object eq ftp
object-group service HTTPS tcp
port-object eq https
object-group service HTTP tcp
port-object eq www
object-group service ICMP_any
service-object icmp
object-group service DNS_over_TCP tcp
port-object eq domain
object-group service DNS_over_UDP udp
port-object eq domain
object-group service DMVPN-IPSEC udp
port-object eq 4500
object-group service DMVPN-GRE udp
port-object eq isakmp
object-group service SSH tcp
port-object eq ssh
object-group network FMC_INLINE_src_rule_268439558
description Auto Generated by FMC from src of UnifiedNGFWRule# 3 (Remote Sites Access Control/default)
network-object object DR-DMVPN-RTR
network-object object HQ-DMVPN-RTR
object-group network HQ-Data-ALL
network-object object HQ-Data1
network-object object HQ-Data2
network-object object Corp-Wireless
object-group network HQ-Voice-All
network-object object HQ-Voice1
network-object object HQ-Voice2
object-group network HQ-ALL
description All HQ Networks
network-object object HQ-WirelessMgmt
group-object HQ-Data-ALL
network-object object HQDC-DynamicServers
network-object object HQDC-WindowsServers
network-object object HQDC-LinuxServers
network-object object Guest-Wireless
network-object object HQDC-MGMT
network-object object HQDC-WEBDMZ
network-object object HQDC-SAN
network-object object HQDC-Servers-Net
group-object HQ-Voice-All
network-object object HQ-DriverDMZ
object-group network DR-Voice-ALL
network-object object DR-Voice3
network-object object DR-Voice2
network-object object DR-Voice1
object-group network DR-Data-ALL
network-object object DR-Data2
network-object object DR-Data1
network-object object Corp-Wireless
network-object object DR-Printers
network-object object DR-Data3
object-group network DR-Endpoints-ALL
group-object DR-Voice-ALL
network-object object DR-Security
network-object object Guest-Wireless
network-object object DR-VideoConf
network-object object Corp-Wireless
group-object DR-Data-ALL
network-object object DR-HVAC
object-group network DRDC-Servers-ALL
network-object object DRDC-WindowsServers
network-object object DRDC-LinuxServers
network-object object DRDC-Management
object-group network DR-ALL
group-object DR-Endpoints-ALL
group-object DRDC-Servers-ALL
object-group network FMC_INLINE_dst_rule_268440576
description Auto Generated by FMC from dst of UnifiedNGFWRule# 8 (Remote Sites Access Control/default)
group-object HQ-ALL
group-object DR-ALL
object-group network FMC_INLINE_src_rule_268440577
description Auto Generated by FMC from src of UnifiedNGFWRule# 9 (Remote Sites Access Control/default)
group-object HQ-ALL
group-object DR-ALL
object-group service TCP_UDP_40950-41950 tcp-udp
port-object range 40950 41950
object-group service NTP-UDP udp
port-object eq ntp
object-group service UDP_1294 udp
port-object eq 1294
object-group network IPv4-Private-All-RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service Lytx tcp
port-object eq 6263
object-group network FMC_INLINE_dst_rule_268448868
description Auto Generated by FMC from dst of UnifiedNGFWRule# 4 (Remote Sites Access Control/default)
network-object object DR-DMVPN-RTR
network-object object HQ-DMVPN-RTR
access-list CSM_FW_ACL_ remark rule-id 268439563: PREFILTER POLICY: Remote Sites Prefilter
access-list CSM_FW_ACL_ remark rule-id 268439563: RULE: Allow DNS
access-list CSM_FW_ACL_ advanced trust udp ifc LAN any ifc WAN object GuestDNSServer object-group DNS_over_UDP rule-id 268439563 event-log both
access-list CSM_FW_ACL_ remark rule-id 268437506: PREFILTER POLICY: Remote Sites Prefilter
access-list CSM_FW_ACL_ remark rule-id 268437506: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 268437506
access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 268437506
access-list CSM_FW_ACL_ advanced permit gre any any rule-id 268437506
access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 268437506
access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 268437506
access-list CSM_FW_ACL_ remark rule-id 268439571: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439571: L7 RULE: Block-Blacklisted-Traffic
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268439571
access-list CSM_FW_ACL_ remark rule-id 268448848: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268448848: L4 RULE: Manual Block List Outbound
access-list CSM_FW_ACL_ advanced deny ip ifc LAN any ifc WAN object-group Manual-Blacklist-For-Access-Policies rule-id 268448848 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268448849: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268448849: L4 RULE: Manual Block List Inbound
access-list CSM_FW_ACL_ advanced deny ip ifc WAN object-group Manual-Blacklist-For-Access-Policies ifc LAN any rule-id 268448849 event-log flow-start
access-list CSM_FW_ACL_ advanced permit object-group ICMP_any any any rule-id 268437504
access-list CSM_FW_ACL_ remark rule-id 268439555: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439555: L7 RULE: Inline Inspection Outbound
access-list CSM_FW_ACL_ advanced permit ip ifc InlineB-SwitchSide any ifc InlineA-RouterSide any rule-id 268439555
access-list CSM_FW_ACL_ remark rule-id 268439556: ACCESS POLICY: Remote Sites Access Control - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439556: L7 RULE: Inline Inspection Inbound
access-list CSM_FW_ACL_ advanced permit ip ifc InlineA-RouterSide any ifc InlineB-SwitchSide any rule-id 268439556
access-list CSM_FW_ACL_ remark rule-id 268439562: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268439562: L7 RULE: Allow DNS for Guest Wireless
access-list CSM_FW_ACL_ advanced permit tcp any host X.X.X.X object-group DNS_over_TCP rule-id 268439562
access-list CSM_FW_ACL_ advanced permit udp any host X.X.X.X object-group DNS_over_UDP rule-id 268439562
access-list CSM_FW_ACL_ remark rule-id 268448796: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268448796: L7 RULE: Lytx access
access-list CSM_FW_ACL_ advanced permit tcp object Remote-Data-Nets any object-group Lytx rule-id 268448796
access-list CSM_FW_ACL_ remark rule-id 268439558: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268439558: L7 RULE: Allow DMVPN Inbound
access-list CSM_FW_ACL_ advanced permit udp ifc WAN object-group FMC_INLINE_src_rule_268439558 ifc LAN object Remote-Data-Nets object-group DMVPN-GRE rule-id 268439558
access-list CSM_FW_ACL_ advanced permit udp ifc WAN object-group FMC_INLINE_src_rule_268439558 ifc LAN object Remote-Data-Nets object-group DMVPN-IPSEC rule-id 268439558
access-list CSM_FW_ACL_ remark rule-id 268448868: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268448868: L7 RULE: Allow DMVPN Outbound
access-list CSM_FW_ACL_ advanced permit udp ifc LAN object Remote-Data-Nets ifc WAN object-group FMC_INLINE_dst_rule_268448868 object-group DMVPN-GRE rule-id 268448868
access-list CSM_FW_ACL_ advanced permit udp ifc LAN object Remote-Data-Nets ifc WAN object-group FMC_INLINE_dst_rule_268448868 object-group DMVPN-IPSEC rule-id 268448868
access-list CSM_FW_ACL_ remark rule-id 268437505: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268437505: L7 RULE: Allow Web Traffic to Friendies
access-list CSM_FW_ACL_ advanced permit tcp any any object-group FTP rule-id 268437505
access-list CSM_FW_ACL_ advanced permit tcp any any object-group HTTP rule-id 268437505
access-list CSM_FW_ACL_ advanced permit tcp any any object-group HTTPS rule-id 268437505
access-list CSM_FW_ACL_ remark rule-id 268439557: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268439557: L7 RULE: Allow DNS for Pitney Bowes
access-list CSM_FW_ACL_ advanced permit tcp object MS-Postage any4 object-group DNS_over_TCP rule-id 268439557
access-list CSM_FW_ACL_ advanced permit udp object MS-Postage any4 object-group DNS_over_UDP rule-id 268439557
access-list CSM_FW_ACL_ remark rule-id 268441602: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268441602: L7 RULE: Greenville Cameras
access-list CSM_FW_ACL_ advanced permit tcp object at-grsc-guest-net ifc WAN any object-group TCP_UDP_40950-41950 rule-id 268441602
access-list CSM_FW_ACL_ advanced permit udp object at-grsc-guest-net ifc WAN any object-group TCP_UDP_40950-41950 rule-id 268441602
access-list CSM_FW_ACL_ advanced permit udp object at-grsc-guest-net ifc WAN any object-group UDP_1294 rule-id 268441602
access-list CSM_FW_ACL_ advanced permit udp object at-grsc-guest-net ifc WAN any object-group NTP-UDP rule-id 268441602
access-list CSM_FW_ACL_ remark rule-id 268440576: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268440576: L7 RULE: Allow Outbound to HQ and DR
access-list CSM_FW_ACL_ advanced permit ip object Remote-Data-Nets object-group FMC_INLINE_dst_rule_268440576 rule-id 268440576
access-list CSM_FW_ACL_ remark rule-id 268440577: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268440577: L7 RULE: Allow HQ and DR Inbound
access-list CSM_FW_ACL_ advanced permit ip object-group FMC_INLINE_src_rule_268440577 object Remote-Data-Nets rule-id 268440577
access-list CSM_FW_ACL_ remark rule-id 268443648: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268443648: L7 RULE: Allow Freightliner DDL8
access-list CSM_FW_ACL_ advanced permit tcp object-group IPv4-Private-All-RFC1918 any eq 48481 rule-id 268443648
access-list CSM_FW_ACL_ remark rule-id 268449810: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268449810: L7 RULE: Rochester SSH to Cell
access-list CSM_FW_ACL_ advanced permit tcp object ms-romn-mpls-rt01 host 10.10.51.1 object-group SSH rule-id 268449810
access-list CSM_FW_ACL_ remark rule-id 268436480: ACCESS POLICY: Remote Sites Access Control - Default
access-list CSM_FW_ACL_ remark rule-id 268436480: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268436480 event-log flow-start
no pager
logging enable
logging list MANAGER_VPN_EVENT_LIST level errors class auth
logging list MANAGER_VPN_EVENT_LIST level errors class vpn
logging list MANAGER_VPN_EVENT_LIST level errors class vpnc
logging list MANAGER_VPN_EVENT_LIST level errors class vpnfo
logging list MANAGER_VPN_EVENT_LIST level errors class vpnlb
logging list MANAGER_VPN_EVENT_LIST level errors class webfo
logging list MANAGER_VPN_EVENT_LIST level errors class webvpn
logging list MANAGER_VPN_EVENT_LIST level errors class ca
logging list MANAGER_VPN_EVENT_LIST level errors class svc
logging list MANAGER_VPN_EVENT_LIST level errors class ssl
logging list MANAGER_VPN_EVENT_LIST level errors class dap
logging list MANAGER_VPN_EVENT_LIST level errors class ipaa
logging trap notifications
logging fmc MANAGER_VPN_EVENT_LIST
logging host LAN 172.16.1.166
logging flash-minimum-free 1024
logging flash-maximum-allocation 3076
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination diagnostic 172.16.1.166 2055
mtu WAN 1500
mtu LAN 1500
mtu WAN2 1500
mtu InlineA-RouterSide 1500
mtu InlineB-SwitchSide 1500
mtu diagnostic 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any LAN
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (WAN,LAN) source static any any destination static interface ms-romn-mpls-rt01 service emptyDMVPN-GRE emptyDMVPN-GRE
nat (WAN,LAN) source static any any destination static interface ms-romn-mpls-rt01 service emptyDMVPN-IPSEC emptyDMVPN-IPSEC
!
object network Remote-Data-Nets
nat (LAN,WAN) dynamic interface dns
object network Remote-DMZ-Nets
nat (LAN,WAN) dynamic interface
object network Remote-Voice-Nets
nat (LAN,WAN) dynamic interface
object network Remote-Guest-Nets
nat (LAN,WAN) dynamic ms-romn-guest_wan
access-group CSM_FW_ACL_ global
route WAN 0.0.0.0 0.0.0.0 1.2.3.4 1 track 1
route WAN2 0.0.0.0 0.0.0.0 10.10.51.1 254
route diagnostic 0.0.0.0 0.0.0.0 172.29.3.1 1
route LAN 10.0.0.0 255.0.0.0 172.28.3.2 1
route LAN 172.16.0.0 255.240.0.0 172.28.3.2 1
route LAN 192.168.0.0 255.255.0.0 172.28.3.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:00:30
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa proxy-limit disable
aaa authentication login-history
snmp-server host diagnostic 172.16.1.166 poll community ***** version 2c
snmp-server host diagnostic 172.17.99.148 poll community ***** version 2c
snmp-server host diagnostic 172.17.14.151 poll community ***** version 2c
snmp-server host diagnostic 172.17.99.94 poll community ***** version 2c
snmp-server location St Cloud
snmp-server contact ATS HelpDesk
snmp-server community *****
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface WAN
num-packets 3
timeout 2000
threshold 500
frequency 30
sla monitor schedule 10 life forever start-time now
!
no service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
track 1 rtr 1 reachability
!
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 LAN
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
flow-export event-type all destination 172.16.1.166
policy-map policy_map_LAN
match flow-rule qos 268439568
police input 5000000 156250
police output 7000000 218750
match flow-rule qos 268439569
police input 25000000 781250
!
service-policy global_policy global
service-policy policy_map_LAN interface LAN
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
!
event manager applet WAN_FAILOVER_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "object network Remote-Data-Nets"
action 2.1 cli command "no nat (LAN,WAN2) dynamic interface dns"
action 2.2 cli command "exit"
action 2.3 cli command "object network Remote-DMZ-Nets"
action 2.4 cli command "no nat (LAN,WAN2) dynamic interface"
action 2.5 cli command "exit"
action 2.6 cli command "object network Remote-Voice-Nets"
action 2.7 cli command "no nat (LAN,WAN2) dynamic interface"
action 2.8 cli command "exit"
action 2.9 cli command "object network Remote-Guest-Nets"
action 3.0 cli command "no nat (LAN,WAN2) dynamic ms-romn-guest_wan"
action 3.1 cli command "object network Remote-Data-Nets"
action 3.2 cli command "nat (LAN,WAN) dynamic interface dns"
action 3.3 cli command "exit"
action 3.4 cli command "object network Remote-DMZ-Nets"
action 3.5 cli command "nat (LAN,WAN) dynamic interface"
action 3.5 cli command "exit"
action 3.6 cli command "object network Remote-Voice-Nets"
action 3.7 cli command "nat (LAN,WAN) dynamic interface"
action 3.8 cli command "exit"
action 3.9 cli command "object network Remote-Guest-Nets"
action 4.0 cli command "nat (LAN,WAN) dynamic ms-romn-guest_wan"
action 4.1 cli command "clear xlate"
!
event manager applet WAN_FAILOVER_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "object network Remote-Data-Nets"
action 2.1 cli command "no nat (LAN,WAN) dynamic interface dns"
action 2.2 cli command "exit"
action 2.3 cli command "object network Remote-DMZ-Nets"
action 2.4 cli command "no nat (LAN,WAN) dynamic interface"
action 2.5 cli command "exit"
action 2.6 cli command "object network Remote-Voice-Nets"
action 2.7 cli command "no nat (LAN,WAN) dynamic interface"
action 2.8 cli command "exit"
action 2.9 cli command "object network Remote-Guest-Nets"
action 3.0 cli command "no nat (LAN,WAN) dynamic ms-romn-guest_wan"
action 3.1 cli command "object network Remote-Data-Nets"
action 3.2 cli command "nat (LAN,WAN2) dynamic interface dns"
action 3.3 cli command "exit"
action 3.4 cli command "object network Remote-DMZ-Nets"
action 3.5 cli command "nat (LAN,WAN2) dynamic interface"
action 3.5 cli command "exit"
action 3.6 cli command "object network Remote-Voice-Nets"
action 3.7 cli command "nat (LAN,WAN2) dynamic interface"
action 3.8 cli command "exit"
action 3.9 cli command "object network Remote-Guest-Nets"
action 4.0 cli command "nat (LAN,WAN2) dynamic ms-romn-guest_wan"
action 4.1 cli command "clear xlate"
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2020 01:38 PM
Thanks I will give this a go and let you know. This looks great though!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
