03-20-2021 11:00 AM
Hello... Looking for some insight/help on my config.
I have a NAT setup as a NetworkObject, so there is no STATIC route from inside to outside... How do I setup a second NAT NetworkObject and the associated SLA/Monitoring, that I would need to priorities the route to outside. I have setup a TEST Device (PC) and I have been unable to even route traffic from that device to the secondary outside interface. I fear i'm missing something, so looking for an answer and an example. New to Networks, and really starting to appreciate the skills needed and the lack of my knowledge.
The topology is pretty straightforward (he said)
The primary outside route works well, the subnets are static routed back to the SG500 which takes care of the intervlan routing. So at present I have an interface between the SG500 and the ASA5515.. all the VLANs work. Unable to route anything to the secondary ISP interface
Here's the ASA config..
: Saved : ASA Version 9.1(2) ! hostname HomeASA xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface GigabitEthernet0/0 description HomeWAN nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet0/1 description HomeLAN nameif inside_1 security-level 100 ip address 192.168.70.10 255.255.255.0 ! ! ! interface GigabitEthernet0/4 description 4G Wifi WAN secondary connection to the internet nameif outside_failover security-level 0 ip address 192.168.110.2 255.255.255.0 ! ! ! ! time-range Teens periodic Friday 5:00 to Saturday 0:30 periodic Saturday 5:00 to Sunday 0:30 periodic Monday Tuesday Wednesday Thursday Sunday 5:00 to 22:30 ! time-range TestVLAN30 periodic daily 5:00 to 23:59 ! no ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns domain-lookup outside dns server-group DefaultDNS name-server 194.168.99.99 domain-name xx.LOCAL same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 description Inside_Out_NAT object network obj_any2 host 192.168.5.145 description BackupTEst object network VLAN10 subnet 192.168.10.0 255.255.255.0 description VLAN 10 Main object network TESTPC host 192.168.5.145 description TEST PC DELL object network VLAN1 subnet 192.168.5.0 255.255.255.0 description VLAN 1 Default subnet 5 object network VLAN20 subnet 192.168.20.0 255.255.255.0 description VLAN 10 Teens object network VLAN30 subnet 192.168.30.0 255.255.255.0 description VLAN 30 Main WIFI object network VLAN40 subnet 192.168.40.0 255.255.255.0 description VLAN 40 IoT object network VLAN50 subnet 192.168.50.0 255.255.255.0 description VLAN 50 Management object network VLAN31 subnet 192.168.31.0 255.255.255.0 description VLAN31 Teens object network VLAN32 subnet 192.168.32.0 255.255.255.0 description VLAN 32 Guest object network PrimaryDNS host 194.168.99.99 description DNS object network SeconardyDNS host 194.168.99.99 description DNS object network test host 8.8.8.8 description remove object-group network Inside_ALL_VLANs description All VLANs network-object object VLAN1 network-object object VLAN10 network-object object VLAN20 network-object object VLAN30 network-object object VLAN40 network-object object VLAN50 object-group network DNS-Servers description Valid DNS Servers network-object object PrimaryDNS network-object object SeconardyDNS object-group protocol TCPUDP protocol-object udp protocol-object tcp
(thanks to this forum!) access-list outside_access_in extended permit icmp any any access-list inside_1_access_in remark Inside access in allow Domain services to vaild DNS servers access-list inside_1_access_in extended permit object-group TCPUDP any object-group DNS-Servers eq domain access-list inside_1_access_in extended deny object-group TCPUDP any any eq domain access-list inside_1_access_in extended permit ip any any pager lines 24 logging timestamp logging asdm informational logging from-address logging recipient-address level errors logging facility 16 logging host inside_1 192.168.99.99 mtu outside 1500 mtu inside_1 1500 mtu DMZ 1500 mtu Free 1500 mtu outside_failover 1500 mtu Management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo inside_1 icmp permit any echo-reply inside_1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_1,outside_failover) dynamic interface access-group inside_1_access_in in interface inside_1 route inside_1 192.168.5.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.10.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.20.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.30.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.32.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.40.0 255.255.255.0 192.168.70.20 1 route inside_1 192.168.50.0 255.255.255.0 192.168.70.20 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside_1 http 192.168.10.0 255.255.255.0 inside_1 http 192.168.70.0 255.255.255.0 inside_1 http 192.168.30.0 255.255.255.0 inside_1 http 0.0.0.0 0.0.0.0 inside_1 http 192.168.10.4 255.255.255.255 inside_1 http 192.168.10.100 255.255.255.255 inside_1 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh 192.168.99.99 255.255.255.255 inside_1 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside_1 dhcp-client client-id interface outside dhcp-client client-id interface Free dhcp-client client-id interface Management threat-detection basic-threat threat-detection scanning-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 99.99.99.99 prefer tftp-server inside_1 99.99.99.99 ASA_config.txt class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global smtp-server 99.99.99.99
mount QNAP type ftp server 192.168.xx.xx mode passive status enable prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 13 subscribe-to-alert-group configuration periodic monthly 13 subscribe-to-alert-group telemetry periodic daily profile SOHO destination address email destination transport-method email subscribe-to-alert-group snapshot periodic daily Cryptochecksum: : end no asdm history enable
Solved! Go to Solution.
03-21-2021 04:53 AM - edited 03-21-2021 04:54 AM
Hello
Just like to add a slight amendment to @Francesco Molino pertaining to the admin distances of the conditional isp default routes, so to make sure the back isp default has a less preferred distance value.
interface GigabitEthernet0/0
dhcp client route track 1
dhcp client route distance 1
route outside_failover 0.0.0.0 0.0.0.0 192.168.110.x 200
03-20-2021 07:48 PM - edited 03-20-2021 07:49 PM
Hi
The nat you put there is ok. Your 1st interface outside is configured with dhcp address and dhcp route. The 2nd outside_failover has a static route.
I will assume the ISP router connected to outside_failover interface has IP 192.168.110.1.
You will need to configure a tracking to monitor when ISP1 goes down in order to switchover the 2nd link.
Here an example of config:
sla monitor 1 type echo protocol ipicmpecho 8.8.8.8 interface outside ! sla monitor schedule 1 start now life forever ! track 1 rtr 1 reachability ! interface Gi0/0 dhcp client route track 1 !
route outside_failover 0.0.0.0 0.0.0.0 192.168.110.1
03-21-2021 04:53 AM - edited 03-21-2021 04:54 AM
Hello
Just like to add a slight amendment to @Francesco Molino pertaining to the admin distances of the conditional isp default routes, so to make sure the back isp default has a less preferred distance value.
interface GigabitEthernet0/0
dhcp client route track 1
dhcp client route distance 1
route outside_failover 0.0.0.0 0.0.0.0 192.168.110.x 200
03-23-2021 08:51 AM
Thank you for the input, this is most appreciated. Would i be correct in my understanding, if the addtional static route includes a distance of 200. Its ignored until DHCP client route track 1 fails with a distance of 1 and "DHCP client route" is a function of Interface and this will be in addition to my current config on g0/0
interface GigabitEthernet0/0 description HomeWAN nameif outside security-level 0 ip address dhcp setroute
DHCP Client route track 1
DHCP client route distance 1
thanks again...
03-23-2021 09:12 AM
Hello
@ob123 wrote:
Thank you for the input, this is most appreciated. Would i be correct in my understanding, if the addtional static route includes a distance of 200. Its ignored until DHCP client route track 1 fails with a distance of 1 and "DHCP client route" is a function of Interface and this will be in addition to my current config on g0/0
Yes correct.
03-23-2021 10:20 AM
Thank you...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: