Announcement

Collapse
No announcement yet.

Cisco ASA 8.3(2) Dual ISP nat problem?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 8.3(2) Dual ISP nat problem?

    I have an ASA 5505 on version 8.3(2). Everything is running great. Now I'm being asked to add a backup internet line to the ASA so that if the primary internet goes down, we will fail over to the backup.

    Sounds easy. I followed instructions that looks like this (example code):

    ASA5505(config)# interface ethernet 0/0
    ASA5505(config-if)# switchport access vlan 2
    ASA5505(config-if)# no shutdown

    ASA5505(config)# interface ethernet 0/1
    ASA5505(config-if)# switchport access vlan 1
    ASA5505(config-if)# no shutdown

    ASA5505(config)# interface ethernet 0/2
    ASA5505(config-if)# switchport access vlan 3
    ASA5505(config-if)# no shutdown

    ASA5505(config)# interface vlan 1
    ASA5505(config-if)# nameif inside
    ASA5505(config-if)# security-level 100
    ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
    ASA5505(config-if)# no shutdown

    ASA5505(config)# interface vlan 2
    ASA5505(config-if)# nameif primary-isp
    ASA5505(config-if)# security-level 0
    ASA5505(config-if)# ip address 100.100.100.1 255.255.255.0
    ASA5505(config-if)# backup interface vlan 3
    ASA5505(config-if)# no shutdown

    ASA5505(config)# interface vlan 3
    ASA5505(config-if)# nameif backup-isp
    ASA5505(config-if)# security-level 1
    ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0
    ASA5505(config-if)# no shutdown

    ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 1
    ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 2

    And implemented them. However it appears that when we unplug the primary internet that traffic goes out, but it doesn't come back in. I'm thinking maybe it's a NAT problem? I don't have any firewall rules or NAT rules set for the backup ISP connection, only the primary, but I'm not seeing anywhere that I need them.

    If I plug the primary internet connection back in, the internet works just fine, so the primary link is still working. I've also verified that the backup line works, and we have the right IP information etc.

    Can anyone help shed some light on my conundrum?

  • #2
    Re: Cisco ASA 8.3(2) Dual ISP nat problem?

    Are you directly connected to the isp modem/router or are you going through a switch?


    Better option would be to setup an IP SLA with advanced object tracking.


    route outside 0.0.0.0 0.0.0.0 100.100.100.2 track 1
    route outside 0.0.0.0 0.0.0.0 200.200.200.2 200

    sla monitor 10
    type echo protocol ipIcmpEcho 100.100.100.2 interface outside
    num-packets 2
    frequency 10

    sla monitor schedule 10 life forever start-time now

    track 1 rtr 10 reachability

    global (outside) 1 interface
    global (backup-isp) 1 interface


    This will ping the primary isp upstream device every 10 seconds. If that device isnt reachable the primary static route is withdrawn and the backup static route is entered in the routing table.


    As far as being a nat issue I dont see the full config so I cant tell if its a config issue.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco ASA 8.3(2) Dual ISP nat problem?

      Auglan thank you for the reply.

      We directly connect into both ISP devices (both are fiber connections so I'm not sure what the appropriate technical term for it is). We don't do anything fancy to utilize them, as its a CAT 5 connection with static IPs.

      I will certainly try what you have posted. I had something like that before, but I think I was missing a few commands. I do know that the "global" command is deprecated in 8.3 which has made searches of examples of this kind of hard as that is more common. I know the other commands work. I will try those tomorrow (thursday) night in our maintenance window and post back my results.

      Also correct me if this is wrong, but if I change this command:

      type echo protocol ipIcmpEcho 100.100.100.2 interface outside

      To something like this (Google DNS):

      type echo protocol ipIcmpEcho 8.8.8.8 interface outside

      That would give a bit more of a holistic view of the connection being "down" rather than just looking at the ISP's gateway. Is that correct? I would guess this would also then open me up to other problems, such as if Google's DNS went down it would fail over for potentially no reason, but I wanted to verify I'm understanding the command correctly.

      I guess the part I really don't understand is with a single ISP, you have to set access rules, NAT, etc. Does the ASA just substitute the second connection in those rules for the first if the first ISP is dropped in this configuration? I would think I would need rules for the secondary connection as well, as it is a completely different provider and static IP address.

      Thanks again

      Comment


      • #4
        Re: Cisco ASA 8.3(2) Dual ISP nat problem?

        You could use Google DNS as a reference point but I would just use the ISP next hop.

        Yeah those commands are pre 8.3. They made a bunch of changes with 8.3 its almost like learning nat all over again.

        Yes with the second global to the other isp once that static route to the primary gets withdrawn and the backup route gets inserted it would NAT/PAT off the second global. Just need to figure out an equivalent command for 8..3.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco ASA 8.3(2) Dual ISP nat problem?

          One more question. In the example, you have:

          route outside 0.0.0.0 0.0.0.0 100.100.100.2 track 1
          route outside 0.0.0.0 0.0.0.0 200.200.200.2 200

          "outside" is the interface name, but I'm doublechecking this is correct. In the example I had found, they had:

          ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 1
          ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 2

          Which entails that you have a route for each interface. In your example you have two different routes on the same interface. Is that the difference in the sla monitor command vs what I was doing? If so that is probably the original problem I had, as I don't think I had the route set up on the same interface.

          Thanks

          Comment


          • #6
            Re: Cisco ASA 8.3(2) Dual ISP nat problem?

            Sorry should have been this:

            route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 track 1
            route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 200
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Cisco ASA 8.3(2) Dual ISP nat problem?

              Auglan you get the prize. With the change of the global commands to match the 8.3(2) commands, it's working flawlessly

              Here's what the code looks like in 8.3, where primary-isp and secondary-isp are the two interfaces the internet connections are plugged into:

              route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 track 1
              route secondary-isp 0.0.0.0 0.0.0.0 200.200.200.2 200

              sla monitor 10
              type echo protocol ipIcmpEcho 100.100.100.2 interface primary-isp
              num-packets 2
              frequency 10

              sla monitor schedule 10 life forever start-time now

              track 1 rtr 10 reachability

              nat (inside,primary-isp) source dynamic any interface
              nat (inside,secondary-isp) source dynamic any interface


              I think what I had been missing was the NAT command, and I was missing that due to not converting the "global" commands from pre-8.x to the nat commands above.

              Again - thank you very much for your help. My headache is going away now ....

              Comment


              • #8
                Re: Cisco ASA 8.3(2) Dual ISP nat problem?

                Glad you got it worked out.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X