Thanks Jon

I was trying to add a cable modem for added bandwidth, which is working, but I'm guessing it's not correct.

The primary is a fiber link = 69.74.x.x and the cable modem is what I just added = 108.162.x.x

So do I have it backwards? and should interface be gi 0/1 instead of the IP and subnet mask?

I'm not sure what you are trying to do.

Your "ip nat inside ...." statement doesn't make sense because you say "interface" which should be followed by an interface not by an IP address.

But I'm not saying just change it because I have no idea what you want to NAT and what you don't.

If you NAT all 69.74.x.x IPs to 108.162.x.x then for some users it will break because what is happening is your router will alternate between the default routes.

So some users connect to a 69.74.x.x IP and the return traffic uses the default route via the primary and it works.

Whereas some users connect to a 69.74.x.x IP and the return traffic uses the other default route and so you then translate the 69.74.x.x IP to a 108.162.x.x IP and this breaks the connection because the return packet to the user comes back with a different IP.

Jon

I wanted to add the second link for the additional bandwidth because we are topping out on the primary and I thought I could by using IP NAT on the router. 

All of the outside NAT addresses that configured on our ASA use the 69.74.x.x to get to from outside to internal machines, we have about 4 of them, and they worked before adding the cable modem.

Is there a way to make the router config work so that I get the added bandwidth of the cable modem and have the existing NATs on the ASA work? From your explanation it seems like the routes will always be split between the 2 links so that will cause it to break.

Thanks for your help, I'm hope that clears it up a bit

You can get it work and there are a number of ways.

If you want to make sure the traffic to and from those specific 69.74.x.x IPs always use the primary link then you can use PBR on the router to override the default route.

You would usually need to do failover with PBR but you probably don't because if the primary link fails no one can get to the 69.74.x.x IPs anyway.

So you do just do PBR for the 69.74.x.x IPs where you present an inside device for access from the internet.

For inside access to the internet ie. most traffic you don't do PBR and so you use both routes.

The alternative is even simpler in that with the acl you use for NAT on your router you exclude the specific 69.74.x.x IPs so even if they go out of the backup link the traffic the IPs are not translated.

Again you do it only for those 69.74.x.x IPs for the specific servers not the 69.74.x.x IP used for general internet access.

The only issue with the second solution is you get asymmetric traffic ie. traffic can come in via the primary link and be returned via the backup link.

Not necessarily a bad thing but you may want all traffic to and from those servers to only use the primary link ?

Either way would work assuming that the 69.74.x.x IP used for general internet access for your internal users is different from the 69.74.x.x IPs for specific services you are hosting.

Jon

Before I set up PBR are there any corrections that I should make to the current config, maybe just the IP NAT interface?

Do you have any simple documentation for setting up PBR?

On another note what will happen should one of the links goes down? will general internet access stop working for users or will connections just go out on the link that is active/up? Should I setup IP SLA?

PBR looks a little confusing to me from the documentation that I found.

How does this acl deny look?

interface GigabitEthernet0/0
description Outside-LightPath
ip address 173.251.x.x 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description To Firewall
ip address 69.74.x.x 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 108.162.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 50 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 173.251.x.x
ip route 0.0.0.0 0.0.0.0 108.162.x.x

access-list 50 permit 69.74.x.x 0.0.0.15
access-list 50 deny 69.74.x.x 0.0.0.15  This 69.x address represents NAT from outside to inside and is different than the permit 69.x that is used for general internet access.

No that won't work.

You need to deny the specific 69.74.x.x IPs that are used for servers and then permit the general 69.74.x.x or flip the logic around and simply permit only the specific 69.74.x.x IP used for general internet access.

Just to clarify when I keep saying specific IP for general access I mean the IP used to translate all users when they go out to the internet.

And I am assuming that is a different IP from the ones used for the servers ?

As previously mentioned if you want to ensure that all traffic to and from the servers uses the primary link only PBR is a better solution.

Don't worry about the configuration, that is what these forums are for, and I can provide you with it and help you make sure it is working.

So which solution do you want to try ?

Jon

Just trying to understand Jon - The deny in red is a different 69.x IP address than the permit IP though, it's part of the block of public IP addresses 69.x.x.1 - 69.x.x.10 on the primary link.

I would ultimately like to go with the PBR solution.  

Darren

It's probably me not explaining very well but the red part is the same as the line above just a deny instead of a permit.

Lets try and simplify things.

Your ASA controls the 69.74.x.x IPs as far as I can see.

What IP from that range is used for general internet access for internal users ?

It is usually the one allocated to the outside interface of the ASA.

What IPs are in use for the servers you give access to from the internet ?

Jon

What IP from that range is used for general internet access for internal users ?  Outside interface on ASA is 69.x.x.211 and is the same when I use what is my ip

What IPs are in use for the servers you give access to from the internet ? 69.x.x.212, 69.x.x214, 69.x.x.215 these point to 3 different machines on 10.8.x.x

So both solutions with the acl one first -

"access-list 50 permit ip host 69.x.x.211"

that is all you need to do because you are then saying for any other 69.x.x.x IPs do not NAT them to 10.182.x.x IPs if they go via the backup link.

Like I say this means that a client could connect to 69.x.x.212 for example via the primary link but the return traffic could go via either link but it doesn't matter because the source IP of the return traffic is still 69.x.x.212.

If you want to make sure traffic to and from the server always goes via the primary link then firstly you still modify acl 50 as above even though it is not absolutely necessary and then -

access-list 101 permit ip host 69.x.x.212 any
access-list 101 permit ip host 69.x.x.214 any
access-list 101 permit ip host 69.x.x.215 any

route-map PBR permit 10
match ip address 101
set ip next-hop 173.251.x.x

then apply the route map to the ingress interface ie.

int gi0/1
ip policy route-map PBR

like I say either should work It's really up you which one your prefer.

Let me know how you get on.

Jon

Trying the acl first - I did a no access-list 50 permit 69.x.x.208 and entered    access-list 50 permit ip host 69.x.x.211 and it will switched it back to access-list 50 permit 69.x.x.208 on its own, tried 3 times.

Not sure I follow.

A router should not switch back to a previous acl if you delete an acl and enter a new one.

Perhaps you can post output ie. show acl before, delete acl and enter new one and then show acl again.

Never come across this before.

Jon