04-02-2014 11:10 AM
I have two ISP's and am having an issue when I setup the routing to send all the internet traffic out the second ISP and site-to-site traffic out the first ISP. I'm setup exactly like this guide.
http://oasysadmin.com/2013/06/14/cisco-asa-with-dual-isps-one-for-internet-and-one-for-vpn-example/
My DHCP is assinging me the DNS server in my remote office, like it should. So, to get to the internet, I query a DNS server at 10.2.2.0/24, then I should be going out 192.168.1.1 to get the website. But, for some reason it's not doing that. I can see my machine querying the DNS server and see the response, but then I can't see anything about it not pulling up the page. To make matters worse, I'm in a different office and can't see the actual IE screen the user is getting.
Here's the NAT and routes
global (ISP1) 1 interface
global (ISP2) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ISP2) 0 access-list ISP2_nat0_outbound
nat (ISP2) 2 0.0.0.0 0.0.0.0
route ISP1 0.0.0.0 0.0.0.0 192.168.1.254 1
route ISP2 10.2.2.0 255.255.255.0 172.16.1.254 1
route ISP2 172.16.2.0 255.255.255.0 172.16.1.254 1
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
interface Vlan2
nameif ISP1
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Vlan12
nameif ISP2
security-level 0
ip address 172.16.1.1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list ISP1_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list ISP2_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
04-02-2014 12:43 PM
Can you post your actual configuration? To me, without further info, you probably do not have the correct NAT setup for your internet routed traffic.
04-03-2014 01:34 AM
so is the user able to ping the DNS server?
Is the DNS request resolving and HTTP traffic is just not sent out the ISP1?
If you issue a nslookup google.com command from the PC, does this resolve correctly?
You say in your post that you want to send VPN out the first ISP and internet out the second ISP. Not sure if this is just a wrong wording in relation to your configuration, but in your config you have set up internet out ISP1 and VPN out ISP2. Could you clarify this please.
As mentioned by jjohnston please post a full running config (sanitised).
Also, just an observation, the nat0 is only applied in an inbound direction so the nat0 you have configured on the ISP2 interface is redundant and should be removed. In addition to this, if you are not using the ISP2 for internet then the dynamic NAT you have configured for it is also not needed...unless this is also used as a backup link.
--
Please remember to rate and select a correct answer
04-04-2014 05:12 AM
Here you go. Yes, they can query DNS and I can see DNS responding to the query's.
EDIT: Removed the config
04-04-2014 05:12 AM
Your config on this ASA looks fine, and considering you say you are resolving dns requests correctly is another sign it is ok. Do you see anything in the logs that could be indicating there is a drop due to a configured rule or similar?
Good that the DNS server is responding to the query, but is that query reaching the host again? Could be a misconfiguration on the remote end, doubtful, but worth checking also.
--
Please remember to rate and select a correct answer
04-07-2014 01:33 PM
Figured out the issue. I just needed a day to not look at it and when I logged in the next morning, it was staring me in the face. Problem was my NAT was incorrect. I was doing the NAT wrong.
Had to change: nat (inside) 1 0.0.0.0 0.0.0.0
TO: nat (inside) 2 0.0.0.0 0.0.0.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide