cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1564
Views
25
Helpful
5
Replies

Dual ISP Setup on a ASA using Network NAT objects

ob123
Beginner
Beginner

Hello... Looking for some insight/help on my config.

 

I have a NAT setup as a NetworkObject, so there is no STATIC route from inside to outside... How do I setup a second NAT NetworkObject and the associated SLA/Monitoring, that I would need to priorities the route to outside.  I have setup a TEST Device (PC) and I have been unable to even route traffic from that device to the secondary outside interface. I fear i'm missing something, so looking for an answer and an example. New to Networks, and really starting to appreciate the skills needed and the lack of my knowledge.   

 

The topology is pretty straightforward (he said) 

 

example.jpeg

 

The primary outside route works well, the subnets are static routed back to the SG500 which takes care of the intervlan routing. So at present I have an interface between the SG500 and the ASA5515.. all the VLANs work. Unable to route anything to the secondary ISP interface  

 

Here's the ASA config.. 

 

: Saved
:
ASA Version 9.1(2) 
!
hostname HomeASA

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description HomeWAN
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet0/1
 description HomeLAN
 nameif inside_1
 security-level 100
 ip address 192.168.70.10 255.255.255.0 
!

!

!
interface GigabitEthernet0/4
 description 4G Wifi WAN secondary connection to the internet
 nameif outside_failover
 security-level 0
 ip address 192.168.110.2 255.255.255.0 
!

!

!
!
time-range Teens
 periodic Friday 5:00 to Saturday 0:30
 periodic Saturday 5:00 to Sunday 0:30
 periodic Monday Tuesday Wednesday Thursday Sunday 5:00 to 22:30
!
time-range TestVLAN30
 periodic daily 5:00 to 23:59
!
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 194.168.99.99
 domain-name xx.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
 description Inside_Out_NAT
object network obj_any2
 host 192.168.5.145
 description BackupTEst
object network VLAN10
 subnet 192.168.10.0 255.255.255.0
 description VLAN 10 Main
object network TESTPC
 host 192.168.5.145
 description TEST PC DELL
object network VLAN1
 subnet 192.168.5.0 255.255.255.0
 description VLAN 1 Default subnet 5
object network VLAN20
 subnet 192.168.20.0 255.255.255.0
 description VLAN 10 Teens
object network VLAN30
 subnet 192.168.30.0 255.255.255.0
 description VLAN 30 Main WIFI
object network VLAN40
 subnet 192.168.40.0 255.255.255.0
 description VLAN 40 IoT
object network VLAN50
 subnet 192.168.50.0 255.255.255.0
 description VLAN 50 Management
object network VLAN31
 subnet 192.168.31.0 255.255.255.0
 description VLAN31 Teens
object network VLAN32
 subnet 192.168.32.0 255.255.255.0
 description VLAN 32 Guest
object network PrimaryDNS
 host 194.168.99.99
 description DNS
object network SeconardyDNS
 host 194.168.99.99
 description DNS
object network test
 host 8.8.8.8
 description remove
object-group network Inside_ALL_VLANs
 description All VLANs
 network-object object VLAN1
 network-object object VLAN10
 network-object object VLAN20
 network-object object VLAN30
 network-object object VLAN40
 network-object object VLAN50
object-group network DNS-Servers
 description Valid DNS Servers
 network-object object PrimaryDNS
 network-object object SeconardyDNS
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
(thanks to this forum!) access-list outside_access_in extended permit icmp any any access-list inside_1_access_in remark Inside access in allow Domain services to vaild DNS servers access-list inside_1_access_in extended permit object-group TCPUDP any object-group DNS-Servers eq domain access-list inside_1_access_in extended deny object-group TCPUDP any any eq domain access-list inside_1_access_in extended permit ip any any pager lines 24 logging timestamp logging asdm informational logging from-address logging recipient-address level errors logging facility 16 logging host inside_1 192.168.99.99 mtu outside 1500 mtu inside_1 1500 mtu DMZ 1500 mtu Free 1500 mtu outside_failover 1500 mtu Management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo inside_1 icmp permit any echo-reply inside_1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_1,outside_failover) dynamic interface access-group inside_1_access_in in interface inside_1 route inside_1 192.168.5.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.10.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.20.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.30.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.32.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.40.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.50.0 255.255.255.0 192.168.70.20 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside_1 http 192.168.10.0 255.255.255.0 inside_1 http 192.168.70.0 255.255.255.0 inside_1 http 192.168.30.0 255.255.255.0 inside_1 http 0.0.0.0 0.0.0.0 inside_1 http 192.168.10.4 255.255.255.255 inside_1 http 192.168.10.100 255.255.255.255 inside_1 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh 192.168.99.99 255.255.255.255 inside_1 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside_1 dhcp-client client-id interface outside dhcp-client client-id interface Free dhcp-client client-id interface Management threat-detection basic-threat threat-detection scanning-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 99.99.99.99 prefer tftp-server inside_1 99.99.99.99 ASA_config.txt class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global smtp-server 99.99.99.99
mount QNAP type ftp server 192.168.xx.xx mode passive status enable prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 13 subscribe-to-alert-group configuration periodic monthly 13 subscribe-to-alert-group telemetry periodic daily profile SOHO destination address email destination transport-method email subscribe-to-alert-group snapshot periodic daily Cryptochecksum: : end no asdm history enable

 

 

 

1 Accepted Solution

Accepted Solutions

Hello
Just like to add a slight amendment to @Francesco Molino  pertaining to the admin distances of the conditional isp default routes, so to make sure the back isp default has a less preferred distance value.

 

interface GigabitEthernet0/0
dhcp client route track 1
dhcp client route distance 1

route outside_failover 0.0.0.0 0.0.0.0 192.168.110.x 200


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

The nat you put there is ok. Your 1st interface outside is configured with dhcp address and dhcp route. The 2nd outside_failover has a static route.

I will assume the ISP router connected to outside_failover interface has IP 192.168.110.1.

You will need to configure a tracking to monitor when ISP1 goes down in order to switchover the 2nd link.

Here an example of config:

sla monitor 1
  type echo protocol ipicmpecho 8.8.8.8 interface outside
!
sla monitor schedule 1 start now life forever
!
track 1 rtr 1 reachability
!
interface Gi0/0
  dhcp client route track 1
!
route outside_failover 0.0.0.0 0.0.0.0 192.168.110.1

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello
Just like to add a slight amendment to @Francesco Molino  pertaining to the admin distances of the conditional isp default routes, so to make sure the back isp default has a less preferred distance value.

 

interface GigabitEthernet0/0
dhcp client route track 1
dhcp client route distance 1

route outside_failover 0.0.0.0 0.0.0.0 192.168.110.x 200


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ob123
Beginner
Beginner

Thank you for the input, this is most appreciated. Would i be correct in my understanding, if the addtional static route includes a distance of 200. Its ignored until DHCP client route track 1 fails with a distance of 1 and "DHCP client route" is a function of Interface and this will be in addition to my current config on g0/0

 

interface GigabitEthernet0/0
 description HomeWAN
 nameif outside
 security-level 0
 ip address dhcp setroute 
DHCP Client route track 1
DHCP client route distance 1

 

thanks again... 

 

  

Hello

 


@ob123 wrote:

Thank you for the input, this is most appreciated. Would i be correct in my understanding, if the addtional static route includes a distance of 200. Its ignored until DHCP client route track 1 fails with a distance of 1 and "DHCP client route" is a function of Interface and this will be in addition to my current config on g0/0


Yes correct.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ob123
Beginner
Beginner

Thank you... 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: