Hi,
I have a small business network with an ASA5505 and an ISP with a static ip and VPN. That works very well now for a long time. As the speed offered by our ISP is quite low, we decided to buy a consumer product from an IPS, that is much faster.
The idea was simple: The ASA should route to the new line ("upc"), as it has a lower metric. A SLA check should ensure that our original line ("outside") with higher metric is used when "upc" goes down. For this i followed the instructions at http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
However, as soon as i set "upc" to be the route with lower metric, I do not have internet access. I think that I made a simple mistake in the config, probably some NAT issues?
Port "upc" is connected directly to the ISPs router, as the internet line has a dynamic ip address and the standard gateway changes. The config of this router is:
router ip: 10.0.0.1
dhcp: 10.0.0.100 - 10.0.0150
dmz: 10.0.0.2
port configuration "upc" on asa is:
ip-address: 10.0.0.2
gateway ip: 10.0.0.1
below is my asa config (i removed sensible parts regarding VPN and masked my static ip). would be glad if you could give me a hint.
ASA Version 8.4(2)
!
hostname ciscoasa
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 178.188.XXX.X 255.255.255.252
!
interface Vlan12
nameif upc
security-level 0
ip address 10.0.0.2 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit intra-interface
object network obj-192.168.1.192
subnet 192.168.1.192 255.255.255.224
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object-group network obj_any
object-group network NETWORK_OBJ_192.168.1.192_27
access-list Company_SplitTunnel remark Company LAN
access-list Company_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.224
access-list CompanyTunnelGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list CompanyIPSecProfile_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu upc 1500
ip local pool VPNusers 192.168.1.200-192.168.1.220 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static obj-192.168.1.192 obj-192.168.1.192 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.1.192 obj-192.168.1.192 no-proxy-arp
!
object network obj_any-01
nat (inside,outside) dynamic interface
object network obj_any-03
nat (inside,upc) dynamic interface
route upc 0.0.0.0 0.0.0.0 10.0.0.1 1
route outside 0.0.0.0 0.0.0.0 178.188.XXX.X 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 20608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 213.33.99.70 80.120.17.70
dhcpd auto_config outside
!
dhcpd address 192.168.1.150-192.168.1.180 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
