10-25-2012 02:43 AM
Hello Guys,
I have two ISP which is configured on two different Cisco ASA, seperately, Pls. refer below configurations for both ASA,
My requirement is to put both ISP and configurations on single ASA and second ASA will put for failover Active/Standby,
This we have to do on priority, Pls. suggest....
:
ASA Version 7.0(8)
!
hostname GOIP-FW-SPECTRANET
domain-name goipglobal.local
enable password ezaMyFFEuoF0dAEd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 180.151.8.26 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone IST 5 30
object-group service TCP-vocable tcp
port-object eq www
port-object range 8000 8099
port-object range 7500 7599
port-object range 12000 12999
port-object range 11000 11999
port-object eq ssh
object-group network vocable
network-object 180.151.8.122 255.255.255.255
network-object 180.151.8.123 255.255.255.255
object-group icmp-type vocable-icmp
icmp-object echo-reply
icmp-object echo
object-group icmp-type 1
icmp-object traceroute
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object 192.168.1.0 255.255.255.0
object-group network vocable_real
network-object 192.168.1.122 255.255.255.255
network-object 192.168.1.129 255.255.255.255
object-group network vocable-vpn
network-object 192.168.11.170 255.255.255.255
network-object 192.168.11.160 255.255.255.255
network-object 192.168.11.162 255.255.255.255
access-list outside-in-acl extended permit icmp any any echo-reply
access-list outside-in-acl extended permit icmp any any time-exceeded
access-list outside-in-acl extended permit icmp any any unreachable
access-list outside-in-acl extended permit icmp any host 180.151.8.27
access-list outside-in-acl extended permit ip any host 180.151.8.27
access-list outside-in-acl extended permit icmp any host 180.151.8.28
access-list outside-in-acl extended permit ip any host 180.151.8.28
access-list outside-in-acl extended permit icmp any host 180.151.8.29
access-list outside-in-acl extended permit ip any host 180.151.8.29
access-list outside-in-acl extended permit icmp host 202.53.250.100 any
access-list outside-in-acl extended permit icmp any object-group vocable
access-list outside-in-acl extended permit icmp any object-group vocable traceroute
access-list outside-in-acl extended permit ip any host 180.151.8.30
access-list outside-in-acl extended permit icmp any host 180.151.8.30
access-list outside-in-acl extended permit icmp any host 180.151.8.124
access-list outside-in-acl extended permit ip any host 180.151.8.124
access-list outside-in-acl extended permit ip any host 180.151.8.126
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq ssh
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq www
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 5800
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 5900
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 5901
access-list outside-in-acl extended permit ip any host 180.151.8.122
access-list outside-in-acl extended permit ip any host 180.151.8.123
access-list outside-in-acl extended permit ip any host 180.151.8.125
access-list outside-in-acl extended permit tcp any object-group vocable object-group TCP-vocable
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 3690
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 6200
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 9101
access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 9102
access-list remote-vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 10.10.10.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip host 172.17.2.19 object-group vocable-vpn
access-list inside_nat0_outbound extended permit ip host 172.17.2.109 object-group vocable-vpn
access-list vocable extended permit ip any host 180.151.8.122
access-list vocable extended permit ip any host 180.151.8.123
access-list vocable extended permit ip host 180.151.8.122 any
access-list vocable extended permit ip host 180.151.8.123 any
access-list vocable extended permit ip any host 180.151.8.125
access-list vocable extended permit ip host 180.151.8.125 any
access-list class-default extended permit ip any any
access-list vocable_vpn extended permit ip host 172.17.2.109 object-group vocable-vpn
access-list outside_cryptomap_22 extended permit ip host 172.17.2.19 object-group vocable-vpn
access-list outside_cryptomap_20_1 extended permit ip host 172.17.2.109 object-group vocable-vpn
pager lines 24
logging enable
logging timestamp
logging trap informational
logging device-id hostname
logging host inside 172.16.0.124
mtu outside 1500
mtu inside 1500
ip local pool remote_ip_pool 10.10.10.1-10.10.10.100 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface fail GigabitEthernet0/3
failover interface ip fail 1.1.1.1 255.255.255.0 standby 1.1.1.2
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 180.151.8.126 8080 172.16.0.4 8080 netmask 255.255.255.255
static (inside,outside) tcp 180.151.8.126 8500 172.16.0.124 8500 netmask 255.255.255.255
static (inside,outside) tcp 180.151.8.126 3389 192.168.1.48 3389 netmask 255.255.255.255
static (inside,outside) tcp 180.151.8.126 4200 172.16.0.124 3389 netmask 255.255.255.255
static (inside,outside) tcp 180.151.8.126 8283 172.16.0.16 3389 netmask 255.255.255.255
static (inside,outside) 180.151.8.27 192.168.1.120 netmask 255.255.255.255
static (inside,outside) 180.151.8.29 192.168.1.25 netmask 255.255.255.255
static (inside,outside) 180.151.8.122 192.168.1.122 netmask 255.255.255.255
static (inside,outside) 180.151.8.123 192.168.1.129 netmask 255.255.255.255
static (inside,outside) 180.151.8.125 172.17.2.109 netmask 255.255.255.255
static (inside,outside) 180.151.8.28 192.168.1.244 netmask 255.255.255.255
static (inside,outside) 180.151.8.124 172.16.16.200 netmask 255.255.255.255
access-group outside-in-acl in interface outside
route outside 0.0.0.0 0.0.0.0 180.151.8.25 1
route inside 172.18.0.0 255.255.0.0 192.168.1.1 1
route inside 172.17.0.0 255.255.0.0 192.168.1.1 1
route inside 172.16.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remote-vpn internal
group-policy remote-vpn attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelall
split-tunnel-network-list value remote-vpn_splitTunnelAcl
webvpn
group-policy goip internal
group-policy goip attributes
vpn-tunnel-protocol IPSec
webvpn
username sandeep password 3RPLe5XLRun5d2eR encrypted
username goip password HgC84z9ard1.bOgr encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.123 255.255.255.255 inside
snmp-server host inside 172.17.2.107 community goip$123
snmp-server host inside 172.16.0.124 poll community goip-pix
snmp-server host inside 172.16.0.27 community goip-pix
no snmp-server location
no snmp-server contact
snmp-server community goip-pix
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set goip esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set goip
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set peer 202.134.12.24
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 22 set security-association lifetime seconds 28800
crypto map outside_map0 22 set security-association lifetime kilobytes 4608000
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
default-group-policy remote-vpn
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
tunnel-group 202.134.12.24 type ipsec-l2l
tunnel-group 202.134.12.24 ipsec-attributes
pre-shared-key *
tunnel-group goipgroup type ipsec-ra
tunnel-group goipgroup general-attributes
address-pool remote_ip_pool
tunnel-group goipgroup ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
class-map vocable
match access-list vocable
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_sip_tcp
inspect sip
policy-map vocable
class vocable
police 4000000 2000
class class-default
police 2000000 2000
!
service-policy global_policy global
service-policy vocable interface outside
ntp server 195.43.74.123 source outside prefer
Cryptochecksum:8d76dde60ef1c320f9d4895d639c6d5e
: end
GOIP-FW-SPECTRANET#
GOIP-FW-SPECTRANET#
GOIP-FW-SPECTRANET#
GOIP-FW-SPECTRANET#
GOIP-FW-SPECTRANET-2# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname GOIP-FW-SPECTRANET-2
enable password ezaMyFFEuoF0dAEd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 103.6.119.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.3.5 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network vocable-vpn
network-object 192.168.11.170 255.255.255.255
network-object 192.168.11.160 255.255.255.255
network-object 192.168.11.162 255.255.255.255
network-object 10.16.26.73 255.255.255.255
network-object 10.16.22.99 255.255.255.255
network-object 202.134.12.6 255.255.255.255
access-list internet extended permit ip any any
access-list out-in extended permit ip any host 103.6.119.13
access-list out-in extended permit ip any host 103.6.119.14
access-list out-in extended permit ip any host 103.6.119.15
access-list out-in extended permit ip any host 103.6.119.16
access-list out-in extended permit ip any host 103.6.119.17
access-list out-in extended permit ip any host 103.6.119.18
access-list out-in extended permit ip any host 103.6.119.19
access-list out-in extended permit ip any host 103.6.119.20
access-list out-in extended permit ip any host 103.6.119.21
access-list out-in extended permit ip any host 103.6.119.22
access-list out-in extended permit ip any host 103.6.119.23
access-list out-in extended permit ip any host 103.6.119.24
access-list out-in extended permit ip any host 103.6.119.11
access-list out-in extended permit ip any host 103.6.119.12
access-list out-in extended permit ip any host 103.6.119.25
access-list out-in extended permit ip any host 103.6.119.26
access-list out-in extended permit ip any host 103.6.119.27
access-list out-in extended permit ip any host 103.6.119.28
access-list out-in extended permit ip any host 103.6.119.29
access-list inside_nat0_outbound extended permit ip host 172.17.2.109 object-group vocable-vpn
access-list outside_cryptomap_20_1 extended permit ip host 172.17.2.109 object-group vocable-vpn
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list internet
static (inside,outside) 103.6.119.13 172.17.2.109 netmask 255.255.255.255
static (inside,outside) 103.6.119.14 172.17.2.108 netmask 255.255.255.255
static (inside,outside) 103.6.119.15 172.17.2.103 netmask 255.255.255.255
static (inside,outside) 103.6.119.16 172.17.2.115 netmask 255.255.255.255
static (inside,outside) 103.6.119.17 172.17.2.110 netmask 255.255.255.255
static (inside,outside) 103.6.119.18 172.17.2.111 netmask 255.255.255.255
static (inside,outside) 103.6.119.19 172.17.2.113 netmask 255.255.255.255
static (inside,outside) 103.6.119.20 172.17.2.107 netmask 255.255.255.255
static (inside,outside) 103.6.119.21 172.17.2.112 netmask 255.255.255.255
static (inside,outside) 103.6.119.22 172.17.2.19 netmask 255.255.255.255
static (inside,outside) 103.6.119.23 172.17.2.106 netmask 255.255.255.255
static (inside,outside) 103.6.119.24 172.17.2.114 netmask 255.255.255.255
static (inside,outside) 103.6.119.11 172.17.2.117 netmask 255.255.255.255
static (inside,outside) 103.6.119.12 172.17.2.118 netmask 255.255.255.255
static (inside,outside) 103.6.119.25 172.17.2.120 netmask 255.255.255.255
static (inside,outside) 103.6.119.26 172.17.2.123 netmask 255.255.255.255
static (inside,outside) 103.6.119.27 172.17.2.15 netmask 255.255.255.255
static (inside,outside) 103.6.119.28 172.17.2.130 netmask 255.255.255.255
static (inside,outside) 103.6.119.29 172.17.2.116 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 103.6.119.1 1
route inside 172.17.0.0 255.255.0.0 172.17.3.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username sanjeev password inD903e/KN5gofHS encrypted privilege 7
username praful password TEzhJ7QU1N69uu44 encrypted privilege 15
username sandeep password 3RPLe5XLRun5d2eR encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set peer 202.134.12.24
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 202.134.12.24 type ipsec-l2l
tunnel-group 202.134.12.24 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:a8238e3b6b190d90bfb0d25ea1e09f50
: end
GOIP-FW-SPECTRANET-2#
GOIP-FW-SPECTRANET-2#
10-25-2012 06:01 AM
Hi Sanjeev,
Please check this out and adjust your settings:
ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
Let me know if you have any questions.
HTH.
Portu.
Please rate any helpful posts
10-25-2012 10:17 PM
Hi Portu,
Thanks for this documents,
My query is i have two WAN ip for outside and two LAN subnet for inside, and few existing IPSec tunnels also required to shift, So my confusion is about LAN subnets. How to manage two LAN subnets ?
Sanjeev
10-26-2012 03:35 AM
First check how many physical ports you have in your firewall
then assgin botht he ISP to each interface
and for the lan side also give two interface.... and use the command "same-security-traffic permit intra-interface"
which will allow both the lan network to work for you.
you can do this configuration for the lan side through ASDM which will be easier.
10-26-2012 06:06 AM
Sanjeev,
As mentioned by Shine, all you need is:
1- Create two interfaces for each subnet:
INSIDE1
Subnet 1 --------------------------------->
ASA Failover pair
Subnet 2 --------------------------------->
INSIDE2
* To route between the two networks you can use the "same-security-traffic permit inter-interface" as long as they share the same security level.
2- Move the two networks to a SW / Router and have a single interface on the ASA:
INSIDE1
Subnet 1 ------------------------------->
SW / Router --> ASA Failover pair
Subnet 2 ------------------------------->
INSIDE2
* Internal routing is not handled by the ASA, the L3 device would take care of it.
On the other hand, for the two ISPs and the IPsec deployment I already provided the example in the first post.
Let me know if you have any further questions.
Portu.
Please rate any helpful posts.
Message was edited by: Javier Portuguez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide