07-08-2014 09:21 AM - edited 03-04-2019 11:18 PM
Hi,
I have a small business network with an ASA5505 and an ISP with a static ip and VPN. That works very well now for a long time. As the speed offered by our ISP is quite low, we decided to buy a consumer product from an IPS, that is much faster.
The idea was simple: The ASA should route to the new line ("upc"), as it has a lower metric. A SLA check should ensure that our original line ("outside") with higher metric is used when "upc" goes down. For this i followed the instructions at http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
However, as soon as i set "upc" to be the route with lower metric, I do not have internet access. I think that I made a simple mistake in the config, probably some NAT issues?
Port "upc" is connected directly to the ISPs router, as the internet line has a dynamic ip address and the standard gateway changes. The config of this router is:
router ip: 10.0.0.1
dhcp: 10.0.0.100 - 10.0.0150
dmz: 10.0.0.2
port configuration "upc" on asa is:
ip-address: 10.0.0.2
gateway ip: 10.0.0.1
below is my asa config (i removed sensible parts regarding VPN and masked my static ip). would be glad if you could give me a hint.
ASA Version 8.4(2) ! hostname ciscoasa ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 12 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 178.188.XXX.X 255.255.255.252 ! interface Vlan12 nameif upc security-level 0 ip address 10.0.0.2 255.255.255.0 ! ftp mode passive clock timezone GMT 0 same-security-traffic permit intra-interface object network obj-192.168.1.192 subnet 192.168.1.192 255.255.255.224 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj_any-01 subnet 0.0.0.0 0.0.0.0 object network obj_any-03 subnet 0.0.0.0 0.0.0.0 object-group network obj_any object-group network NETWORK_OBJ_192.168.1.192_27 access-list Company_SplitTunnel remark Company LAN access-list Company_SplitTunnel standard permit 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.224 access-list CompanyTunnelGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 access-list CompanyIPSecProfile_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu upc 1500 ip local pool VPNusers 192.168.1.200-192.168.1.220 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside,any) source static any any destination static obj-192.168.1.192 obj-192.168.1.192 no-proxy-arp nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.1.192 obj-192.168.1.192 no-proxy-arp ! object network obj_any-01 nat (inside,outside) dynamic interface object network obj_any-03 nat (inside,upc) dynamic interface route upc 0.0.0.0 0.0.0.0 10.0.0.1 1 route outside 0.0.0.0 0.0.0.0 178.188.XXX.X 254 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association lifetime kilobytes 20608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 213.33.99.70 80.120.17.70 dhcpd auto_config outside ! dhcpd address 192.168.1.150-192.168.1.180 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
07-25-2014 11:01 AM
Hello.
You are right your NAT configuration is complex.
I would configure something like:
object network MY_LAN1
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network MY_LAN2
subnet 192.168.1.0 255.255.255.0
nat (inside,upc) dynamic interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide