Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3833
Views
0
Helpful
44
Replies

Outside NAT to internal machines - 2 ISPs

Darren Spezio
Level 1
Level 1

‎02-23-2016 11:31 AM - edited ‎03-05-2019 03:24 AM

I have 2 ISP links,  69.74.x.x and a second new one that I just added 108.162.x.x to our Cisco 2900 to increase our overall speed, which is working.

Can the outside NAT connections that are on the 69.74.x.x  be affected by adding the new link? I have a few users reporting that they can't get into internal machines from outside that have NAT through the ASA starting about the time I added this link, while others have no issue at all.

NAT on ASA = 69.74.x.x > 10.8.x.x

interface GigabitEthernet0/0

description Outside-LightPath

ip address 173.251.x.x 255.255.255.252 duplex auto speed auto ! interface

GigabitEthernet0/1

description To Firewall

ip address 69.74.x.x 255.255.255.240

IP nat inside

duplex auto speed auto !

interface GigabitEthernet0/2

description To Cable WAN

108.162.x.x 255.255.255.252

IP nat outside

access-list 50 permit 69.74.x.x 255.255.255.240

IP nat inside source list 50 interface 108.162.x.x 255.255.255.252

overload duplex auto speed auto

! ip forward-protocol N ! no ip http server no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 !

ip route 0.0.0.0 0.0.0.0 173.251.x.x

ip route 0.0.0.0 0.0.0.0 108.162.x.x  

Labels:
0 Helpful
44 Replies 44

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎02-29-2016 08:51 AM

It should have cleared any entries since you made the change.

Just do a "sh ip nat translations" and see what it says.

Jon

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Jon Marshall

‎02-29-2016 10:59 AM

Pro Inside global          Inside local        Outside local              Outside global
udp 108.1x.146:328    69.x.211:328       17.x.125:123             17.x125:123

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎02-29-2016 11:35 AM

So only the 69.x.x.211 IP which is what you want.

Are the users still unable to access the servers.

If they try then run that command again to make sure there are no translations for server IPs.

Jon

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Jon Marshall

‎02-29-2016 11:42 AM

how long will the internet be disrupted once I run clear ip nat translations * ?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎02-29-2016 11:54 AM

You don't need to if that is all that is in the translation table because there are no 69.x.x.x server IPs.

You only need to clear translations for any 69.x.x.x server IPs not the 69.x.x.211 IP because that is just used for internal users to get to the internet.

I am not sure where we are with this at the moment ie. have users tried to connect to servers since you modified the acl and is it still not working.

And is general internet access for internal users working ?

Jon

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Jon Marshall

‎02-29-2016 12:05 PM

I ran the command a bunch of times and they are all on 69.x.211.               Everyone inside is able to get out to the internet without any issues. The only thing is that some outside users are not able to get to the inside servers.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎02-29-2016 12:13 PM

Well it is not a NAT issue anymore.

I suspect the ones that aren't working are the ones going via the backup link, perhaps causing a lot of out of order packets etc.

I would suggest trying the PBR solution so that all traffic to and from the servers uses the primary link.

Jon

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Jon Marshall

‎02-29-2016 12:18 PM

Okay I will have to try PBR tomorrow - I will keep you posted

Thank you Jon for all your help

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Darren Spezio

‎03-03-2016 09:11 AM

Since adding "access-list 50 permit host 62.x.x.211" all of our e-mail notifications from our IT help system and scan to e-mail stopped working both using aspmx.l.google.com - Very strange

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Darren Spezio

‎03-08-2016 07:41 AM

Jon any thoughts on this?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎03-08-2016 11:27 AM

Sorry, I missed your latest reply.

I don't know why the change has broken connectivity.

All that change does it to stop traffic from the servers being translated to 10.182.x.x IPs and that should not break anything.

There is obviously something else going on that isn't clear at the moment.

Can you post the full router configuration ?

Jon

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Jon Marshall

‎03-08-2016 12:22 PM

Attached - I still have not had the chance to config the PBR after core hours.

Preview file
2 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎03-10-2016 02:56 AM

There is nothing obviously wrong with your router configuration.

All I can say is what I have said before ie. using that acl simply means servers that are translated to other 69.x.x.x IPs are not translated again to 10.182.x.x IPs which is what you want.

Unless your backup ISP is filtering on the source IP address which if they are then that would break things.

Jon

0 Helpful

Darren Spezio
Level 1
Level 1
In response to Jon Marshall

‎03-11-2016 08:50 AM

I removed the secondary ip route 0.0.0.0 0.0.0.0 108.x.x.x and now the e-mail alerts and scan to email are working again, they both use aspmx.l.google.com - I'm a little confused as to what could be happening when that route is in place.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Darren Spezio

‎02-29-2016 07:19 AM

How are the users connecting to the servers ?

Jon

0 Helpful
Customers Also Viewed These Support Documents