cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1794
Views
0
Helpful
9
Replies

Interface issue on ASA 5510

ElQueue
Level 1
Level 1

I have an issue where I need to add a backup route to my ASA. Currently I have Inside addressed in the 10.0.0.0/16 subnet (10.0.0.2) connected to the cable gateway (10.0.0.1). I NAT all IPs from inside (10.1.0.0/16) where the gateway PATs it. The problem I'm seeing is that I'd like to add the new backup router to the ASA on another interface (10.0.0.3/16) to the backup router (10.0.0.4/16) without worrying about changing how things are handled in NAT.

 

I know how to use the track arguments to create an automatic failover to change the default route from 10.0.0.1 to 10.0.0.4, but my ASA won't let me put 2 interfaces inside the same subnet. First of all, why is this such an issue, and second is there any way to remove this issue.

 

Or I suppose I could ask, is there another way without doing crazy workarounds to do the same thing?

1 Accepted Solution

Accepted Solutions

Hello,

 

sorry for asking stupid questions, but I am not clear on your addressing...:)

 

Your inside address space is 10.0.0.0/16, and Comcast dishes out an address in the 10.1.0.0/16 address space ? My confusion comes from your remark that your default routes should be 10.0.0.1 and 10.0.0.4 ? I am thinking the next hop of the default routes should belong to the same address space as the outside networks ?

 

Either way, below is a sample configuration where your inside network 10.0.0.0/16 is translated to either the primary or the backup interface, depending on which route is active:

 

ASA Version 9.1(5)
!
hostname ASA
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.0.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 192.168.100.1 255.255.255.0
!
object network Inside_Network
subnet 10.0.0.0 255.255.0.0
object network inside_network
subnet 10.0.0.0 255.255.0.0
!
object network Inside_Network
nat (inside,outside) dynamic interface
object network inside_network
nat (inside,backup) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 10.1.0.254 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.100.254 254
!
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
!
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

View solution in original post

9 Replies 9

Hello,

 

if you want, or need, to use the same address space on both outside interfaces, you need to create an EEM script that works in conjunction with an IP SLA. The EEM script deletes the configuration of the primary interface and then configures the backup interface.

 

Post the full configuration of your ASA, so we can fill in the necessary bits and pieces...

Thanks for informing me about the EEM, which was a portion of the ASA I was not familiar with. But what you're saying is that instead of using the track commands to ping out the primary ISP and if a ping fails to remove the metric 1 static route to 10.0.0.1 and thus the default changes to the 10.0.0.4 metric 2 route, I need to write an EEM module to effectively remove the 0/0 interface config from the running config and then put in the 0/2 interface config in?

 

That's something I'm capable of cobbling together as long as I'm understanding you correctly.

Craaaaaaaaaaaap. EEM is in 9.2, my ASA is running 9.1.

Hello,

 

the only reason to use EEM is that you want to use the same address space on both outgoing interfaces. Is that a definite must, or can you just use another address space on one of the interfaces ?

I could use another address space, but that would mean that I would need to use some new mechanism to perform NAT. As I stated, I do NAT from 10.1.0.0/16 subnet into the 10.0.0.0/16 subnet, which is then processed by the 10.0.0.1 gateway via PAT to the Internet. If 10.0.0.1 goes down, I was going to use the track argument to change the default route out to 10.0.0.4. However, I can't do that if it's on a new address space. I.E., how would I change the NAT rules to point to 10.3.0.0/16 if I were to put the backup router on that subnet?

Hello,

 

what is actually connected to the secondary, backup interface ? I guess it is a different ISP connection ?

Correct. The primary is over Comcast Business Class cable, backup is a Verizon LTE connection.

Hello,

 

sorry for asking stupid questions, but I am not clear on your addressing...:)

 

Your inside address space is 10.0.0.0/16, and Comcast dishes out an address in the 10.1.0.0/16 address space ? My confusion comes from your remark that your default routes should be 10.0.0.1 and 10.0.0.4 ? I am thinking the next hop of the default routes should belong to the same address space as the outside networks ?

 

Either way, below is a sample configuration where your inside network 10.0.0.0/16 is translated to either the primary or the backup interface, depending on which route is active:

 

ASA Version 9.1(5)
!
hostname ASA
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.0.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 192.168.100.1 255.255.255.0
!
object network Inside_Network
subnet 10.0.0.0 255.255.0.0
object network inside_network
subnet 10.0.0.0 255.255.0.0
!
object network Inside_Network
nat (inside,outside) dynamic interface
object network inside_network
nat (inside,backup) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 10.1.0.254 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.100.254 254
!
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
!
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

You got a couple of things mixed up, but after looking over your proposed configuration I think I got the idea pretty much. I was overcomplicating things and it makes sense to me now.

 

Thank you very much.

Review Cisco Networking for a $25 gift card