Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
25
Helpful
5
Replies

Dual ISP Setup on a ASA using Network NAT objects

Go to solution
ob123
Beginner
Beginner

‎03-20-2021 11:00 AM

Hello... Looking for some insight/help on my config.

 

I have a NAT setup as a NetworkObject, so there is no STATIC route from inside to outside... How do I setup a second NAT NetworkObject and the associated SLA/Monitoring, that I would need to priorities the route to outside.  I have setup a TEST Device (PC) and I have been unable to even route traffic from that device to the secondary outside interface. I fear i'm missing something, so looking for an answer and an example. New to Networks, and really starting to appreciate the skills needed and the lack of my knowledge.   

 

The topology is pretty straightforward (he said) 

 

example.jpeg

 

The primary outside route works well, the subnets are static routed back to the SG500 which takes care of the intervlan routing. So at present I have an interface between the SG500 and the ASA5515.. all the VLANs work. Unable to route anything to the secondary ISP interface  

 

Here's the ASA config.. 

 

: Saved
:
ASA Version 9.1(2) 
!
hostname HomeASA

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description HomeWAN
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet0/1
 description HomeLAN
 nameif inside_1
 security-level 100
 ip address 192.168.70.10 255.255.255.0 
!

!

!
interface GigabitEthernet0/4
 description 4G Wifi WAN secondary connection to the internet
 nameif outside_failover
 security-level 0
 ip address 192.168.110.2 255.255.255.0 
!

!

!
!
time-range Teens
 periodic Friday 5:00 to Saturday 0:30
 periodic Saturday 5:00 to Sunday 0:30
 periodic Monday Tuesday Wednesday Thursday Sunday 5:00 to 22:30
!
time-range TestVLAN30
 periodic daily 5:00 to 23:59
!
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 194.168.99.99
 domain-name xx.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
 description Inside_Out_NAT
object network obj_any2
 host 192.168.5.145
 description BackupTEst
object network VLAN10
 subnet 192.168.10.0 255.255.255.0
 description VLAN 10 Main
object network TESTPC
 host 192.168.5.145
 description TEST PC DELL
object network VLAN1
 subnet 192.168.5.0 255.255.255.0
 description VLAN 1 Default subnet 5
object network VLAN20
 subnet 192.168.20.0 255.255.255.0
 description VLAN 10 Teens
object network VLAN30
 subnet 192.168.30.0 255.255.255.0
 description VLAN 30 Main WIFI
object network VLAN40
 subnet 192.168.40.0 255.255.255.0
 description VLAN 40 IoT
object network VLAN50
 subnet 192.168.50.0 255.255.255.0
 description VLAN 50 Management
object network VLAN31
 subnet 192.168.31.0 255.255.255.0
 description VLAN31 Teens
object network VLAN32
 subnet 192.168.32.0 255.255.255.0
 description VLAN 32 Guest
object network PrimaryDNS
 host 194.168.99.99
 description DNS
object network SeconardyDNS
 host 194.168.99.99
 description DNS
object network test
 host 8.8.8.8
 description remove
object-group network Inside_ALL_VLANs
 description All VLANs
 network-object object VLAN1
 network-object object VLAN10
 network-object object VLAN20
 network-object object VLAN30
 network-object object VLAN40
 network-object object VLAN50
object-group network DNS-Servers
 description Valid DNS Servers
 network-object object PrimaryDNS
 network-object object SeconardyDNS
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
(thanks to this forum!) 
access-list outside_access_in extended permit icmp any any 
access-list inside_1_access_in remark Inside access in allow Domain services to vaild DNS servers
access-list inside_1_access_in extended permit object-group TCPUDP any object-group DNS-Servers eq domain 
access-list inside_1_access_in extended deny object-group TCPUDP any any eq domain 
access-list inside_1_access_in extended permit ip any any 
pager lines 24
logging timestamp
logging asdm informational
logging from-address 
logging recipient-address  level errors
logging facility 16
logging host inside_1 192.168.99.99
mtu outside 1500
mtu inside_1 1500
mtu DMZ 1500
mtu Free 1500
mtu outside_failover 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside_1
icmp permit any echo-reply inside_1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_1,outside_failover) dynamic interface
access-group inside_1_access_in in interface inside_1
route inside_1 192.168.5.0 255.255.255.0 192.168.70.20 1
route inside_1 192.168.10.0 255.255.255.0 192.168.70.20 1
route inside_1 192.168.20.0 255.255.255.0 192.168.70.20 1
route inside_1 192.168.30.0 255.255.255.0 192.168.70.20 1
route inside_1 192.168.32.0 255.255.255.0 192.168.70.20 1
route inside_1 192.168.40.0 255.255.255.0 192.168.70.20 1
route inside_1 192.168.50.0 255.255.255.0 192.168.70.20 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.10.0 255.255.255.0 inside_1
http 192.168.70.0 255.255.255.0 inside_1
http 192.168.30.0 255.255.255.0 inside_1
http 0.0.0.0 0.0.0.0 inside_1
http 192.168.10.4 255.255.255.255 inside_1
http 192.168.10.100 255.255.255.255 inside_1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.99.99 255.255.255.255 inside_1
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside_1
dhcp-client client-id interface outside
dhcp-client client-id interface Free
dhcp-client client-id interface Management
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 99.99.99.99 prefer
tftp-server inside_1 99.99.99.99 ASA_config.txt

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
smtp-server 99.99.99.99
mount QNAP type ftp
 server 192.168.xx.xx

 
 mode passive
 status enable
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 13
  subscribe-to-alert-group configuration periodic monthly 13
  subscribe-to-alert-group telemetry periodic daily
 profile SOHO
  destination address email 
  destination transport-method email
  subscribe-to-alert-group snapshot periodic daily
Cryptochecksum:
: end
no asdm history enable

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎03-21-2021 04:53 AM - edited ‎03-21-2021 04:54 AM

Hello
Just like to add a slight amendment to @Francesco Molino  pertaining to the admin distances of the conditional isp default routes, so to make sure the back isp default has a less preferred distance value.

 

interface GigabitEthernet0/0
dhcp client route track 1
dhcp client route distance 1

route outside_failover 0.0.0.0 0.0.0.0 192.168.110.x 200


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-20-2021 07:48 PM - edited ‎03-20-2021 07:49 PM

Hi

 

The nat you put there is ok. Your 1st interface outside is configured with dhcp address and dhcp route. The 2nd outside_failover has a static route.

I will assume the ISP router connected to outside_failover interface has IP 192.168.110.1.

You will need to configure a tracking to monitor when ISP1 goes down in order to switchover the 2nd link.

Here an example of config:

sla monitor 1
  type echo protocol ipicmpecho 8.8.8.8 interface outside
!
sla monitor schedule 1 start now life forever
!
track 1 rtr 1 reachability
!
interface Gi0/0
  dhcp client route track 1
!
route outside_failover 0.0.0.0 0.0.0.0 192.168.110.1

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
paul driver
VIP
VIP

‎03-21-2021 04:53 AM - edited ‎03-21-2021 04:54 AM

Hello
Just like to add a slight amendment to @Francesco Molino  pertaining to the admin distances of the conditional isp default routes, so to make sure the back isp default has a less preferred distance value.

 

interface GigabitEthernet0/0
dhcp client route track 1
dhcp client route distance 1

route outside_failover 0.0.0.0 0.0.0.0 192.168.110.x 200


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ob123
Beginner
Beginner

‎03-23-2021 08:51 AM

Thank you for the input, this is most appreciated. Would i be correct in my understanding, if the addtional static route includes a distance of 200. Its ignored until DHCP client route track 1 fails with a distance of 1 and "DHCP client route" is a function of Interface and this will be in addition to my current config on g0/0

 

interface GigabitEthernet0/0
 description HomeWAN
 nameif outside
 security-level 0
 ip address dhcp setroute 
 DHCP Client route track 1
 DHCP client route distance 1

 

thanks again... 

 

  

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ob123

‎03-23-2021 09:12 AM

Hello

 

@ob123 wrote:

Thank you for the input, this is most appreciated. Would i be correct in my understanding, if the addtional static route includes a distance of 200. Its ignored until DHCP client route track 1 fails with a distance of 1 and "DHCP client route" is a function of Interface and this will be in addition to my current config on g0/0

Yes correct.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ob123
Beginner
Beginner

‎03-23-2021 10:20 AM

Thank you... 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents