02-12-2016 01:04 AM - edited 03-05-2019 03:20 AM
Hi guys, not sure if you can still recall my previous post about routing issue, hehe. Anyways this one is new. When I inherited this Cisco ASA device from a previous Net Ad. I haven't modified much of his settings. BTW, Am I allowed to post ip addresses here for a more detailed explanation? Written in BLUE are comments
Anyways, here is the issue.
device has static routes:
//Below are local ip scopes
192.168.130.x 255.255.255.0 192.168.130.x(virtual gateway)
192.168.131.x 255.255.255.0 192.168.131.x(virtual gateway)
.
.
.
//Below are default routes to WAN(ISP)
0.0.0.0 0.0.0.0 x.x.x.x.ISP1
0.0.0.0 0.0.0.0 x.x.x.xISP2
//Interface
G0/0: inside security level 100 192.168.150.x 255.255.255.0
G0/1 DMZ security level 50 172.16.x.x 255.255.255.0
G0/2: Outside-ISP2 seucirty level 0 x.x.x.x 255.255.255.248
G0/3: Outside-ISP1 security level 0 x.x.x.x 255.255.255.248
//Access Rules
Zone DMZ
any any ip allow
any any icmp allow
any any ip deny implicit rule
Zone inside
any any icmp permit
any any ip permit
any any ip deny implicit rule
Zone management //ignore this since management port is not being use as of the moment
any any ip permit
any any icmp permit
any any ip deny implicit rule
Zone Outside-ISP2
any x.x.x.x (one of ISP2 ip block useable ip) permit
any x.x.x.x (another of ISP2 ip block useable ip) permit
any any icmp and domain permit
any any deny implicit rule
Zone Outside-ISP1
any any domain permit
any any ip deny implicit rule
//Lastly NAT rules
DMZ (2 static routes)
1. Static x.x.x.x NAT'ed to ISP2 one of the useable ip
2. Static x.x.x.x NAT'ed to ISP2 second of the useable ip
Inside (1 Exempt rules, 1 static rules, 2 dynamic rules)
1. Exempt any vlan(of the virtual gateway)/24
2. Static InsideNetwork /16 (all local ip's i.e 192.168.130.x 192.168.131.x, etc)
3. Dynamic policy any (going to a different WAN IP)
4. Dynamic any
Here's the situation. Currently we're all being redirected to our ISP2 and since ISP1 is not being fully utilized, I was thinking if I could switch the others in ISP1. So far what I did
1. Create an object for my IP
2. Added an "Access Rule" in "inside" interface and moved it to the top and destination address is "ISP1"
But I'm still getting the ISP2 WAN IP. So am I lacking something here?
Thanks in advance and good day!
Jeff
02-13-2016 08:14 PM
Hi Jeff,
What version of ASA code are you running? You will basically need to create a dynamic NAT from the inside interface to the ISP1. Assuming you are running ASA 8.3+ code you will do the following:
object network inside
subnet 10.10.10.0
nat (inside,ISP1) dynamic interface
This takes the inside subnet and will NAT/PAT it to the ISP1 interface. You will need to either move this rule below your current dynamic rule or remove your dynamic rule from ISP2.
Also, what metrics do you have set for your default routes? I would look at that if the above snippet doesn't work.
Josh
02-14-2016 05:11 PM
Hi Josh,
Our Cisco ASA is using version 8.2(4)
I need to set it to 255.255.255.255 subnet since as of the moment for testing purposes just my pc will switch over to ISP1
nat (inside) 1 Test-Jefferson 255.255.255.255
This is the Dynamic NAT rule I've created but once applied this NAT rule, my internet just shuts down.
Our metrics are:
0.0.0.0 0.0.0.0 ISP2 metric 1
0.0.0.0 0.0.0.0 ISP2 metric 5
I think this is the reason why I'm still redirected to ISP2
Thanks
Jeff
02-14-2016 05:19 PM
Hi Jeff,
Try with this
global (ISP2) 2 interface
nat (inside) 2 Test-Jefferson 255.255.255.255
Also you may need to do a deny in the nat ACL for the nat (inside) 1 for the host Test-Jefferson.
Josh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide