Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
2
Replies

ASA5506-K9 dual IPS internet

Svetoslav Simeonov
Level 1
Level 1

‎08-14-2019 10:06 AM

Hello all,

 

Can I use dual IPS internet connections on a ASA5506-K9 with basic license. If it is possible can you please share the steps how it is done via ASDM.

Thank you.

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎08-14-2019 11:03 AM - edited ‎08-14-2019 11:04 AM

If you meant to ISP (not IPS i guess)

 

here is the setup guide for reference, any issue post the running config, so we can tweak or suggest.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

not sure what license you have can you post show version to look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Svetoslav Simeonov
Level 1
Level 1
In response to balaji.bandi

‎08-20-2019 09:50 AM


:
: Serial Number: JAD220804BA
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$LnEsaFAelrppRD73k9KcwQ==$CdbxNo75LTvkRUP1Pkynbg== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 85.187.208.249 255.255.255.0
!
interface GigabitEthernet1/2
nameif backup
security-level 0
ip address 85.187.220.11 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 85.187.208.1 outside
name-server 8.8.8.8 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network inside
host 0.0.0.0
object network backup-inside
subnet 0.0.0.0 0.0.0.0
object network backup-inside2
subnet 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu backup 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network backup-inside
nat (inside_2,backup) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 85.187.208.1 1 track 10
route backup 0.0.0.0 0.0.0.0 85.187.220.1 245
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.50.0 255.255.255.0 inside_4
http 192.168.50.0 255.255.255.0 inside_6
http 192.168.50.0 255.255.255.0 inside_5
http 192.168.50.0 255.255.255.0 inside_7
http 192.168.50.0 255.255.255.0 inside_2
http 192.168.50.0 255.255.255.0 inside_3
no snmp-server location
no snmp-server contact
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 123 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
track 10 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.50.5-192.168.50.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username ciscoasa password $sha512$5000$RV/co+rLCz1evPltnRL70g==$48U94fqtcMAY4YZYNcwWFg== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
!
jumbo-frame reservation
!
no call-home reporting anonymous
Cryptochecksum:455b06bcc6c0483fb6b11eaf15d3f7b3
: end


Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Compiled on Sun 27-Aug-17 13:06 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 6 mins 1 sec

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 28ac.9e95.efb6, irq 255
2: Ext: GigabitEthernet1/2 : address is 28ac.9e95.efb7, irq 255
3: Ext: GigabitEthernet1/3 : address is 28ac.9e95.efb8, irq 255
4: Ext: GigabitEthernet1/4 : address is 28ac.9e95.efb9, irq 255
5: Ext: GigabitEthernet1/5 : address is 28ac.9e95.efba, irq 255
6: Ext: GigabitEthernet1/6 : address is 28ac.9e95.efbb, irq 255
7: Ext: GigabitEthernet1/7 : address is 28ac.9e95.efbc, irq 255
8: Ext: GigabitEthernet1/8 : address is 28ac.9e95.efbd, irq 255
9: Int: Internal-Data1/1 : address is 28ac.9e95.efb5, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 28ac.9e95.efb5, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: JAD220804BA
Running Permanent Activation Key: 0xea3bd443 0x74a3959b 0xd4e3c904 0x9c908074 0xc6120295
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration has not been modified since last system restart.

 

 

This is the configuration of my ASA. Unfortunately it does not work for two IPS. It works with the first one but as soon I plug the network cable for the second internet provider - all internet stops. I used this tutorial:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

Please help.

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents