Announcement

Collapse
No announcement yet.

DMZ looses Internet access when using Backup Interface

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DMZ looses Internet access when using Backup Interface

    Hi,
    An ASA 5505 uses a Backup Interface when the ISP goes down (quite often).

    That works just fine for the Inside interface, but the DMZ looses Internet connection while using the Backup Interface.

    What am I missing?

    This is the running config:

    Best regards Steffen

    !
    hostname ciscoasa
    domain-name DOMAIN.local
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    name 192.168.0.150 Server1 description SBS 2003 Server
    name xxx.yyy.187.20 IP_outside
    name 192.168.10.10 IP_ICE
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Vlan2
    description Direct Connect
    backup interface Vlan13
    nameif outside
    security-level 0
    pppoe client vpdn group PPPoE_DirectConnect
    ip address IP_outside 255.255.255.255 pppoe
    !
    interface Vlan3
    nameif dmz
    security-level 50
    ip address 10.0.0.1 255.255.255.0
    !
    interface Vlan13
    description Backupnett ICE
    nameif ICE
    security-level 0
    ip address IP_ICE 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 13
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    switchport access vlan 3
    !
    interface Ethernet0/7
    switchport access vlan 3
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name DOMAIN.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in remark For RWW
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 4125
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq pptp
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 444
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq smtp
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq https
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq www
    access-list outside_access_in extended permit icmp any IP_outside 255.255.255.252 echo-reply
    access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq ftp
    access-list DOMAINVPN_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
    access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list ICE_access_in extended permit tcp any host IP_ICE eq www
    access-list ICE_access_in extended permit tcp any host IP_ICE eq https
    access-list ICE_access_in extended permit tcp any host IP_ICE eq smtp
    access-list ICE_access_in extended permit tcp any host IP_ICE eq 444
    access-list ICE_access_in extended permit tcp any host IP_ICE eq pptp
    access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
    access-list ICE_access_in remark For RWW
    access-list ICE_access_in extended permit tcp any host IP_ICE eq 4125
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu ICE 1500
    ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
    no failover
    monitor-interface inside
    monitor-interface outside
    monitor-interface dmz
    monitor-interface ICE
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit xxx.yyy.187.0 255.255.255.0 outside
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (ICE) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 10.0.0.0 255.255.255.0
    static (inside,ICE) tcp interface 4125 Server1 4125 netmask 255.255.255.255
    static (inside,outside) tcp interface 4125 Server1 4125 netmask 255.255.255.255
    static (inside,ICE) tcp interface 444 Server1 444 netmask 255.255.255.255
    static (inside,outside) tcp interface 444 Server1 444 netmask 255.255.255.255
    static (inside,ICE) tcp interface pptp Server1 pptp netmask 255.255.255.255
    static (inside,outside) tcp interface pptp Server1 pptp netmask 255.255.255.255
    static (inside,ICE) tcp interface smtp Server1 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface smtp Server1 smtp netmask 255.255.255.255
    static (inside,ICE) tcp interface https Server1 https netmask 255.255.255.255
    static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
    static (inside,ICE) tcp interface www Server1 www netmask 255.255.255.255
    static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
    static (inside,outside) tcp interface ftp Server1 ftp netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group ICE_access_in in interface ICE
    route outside 0.0.0.0 0.0.0.0 xxx.yyy.187.1 1 track 1
    route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho xxx.yyy.187.1 interface outside
    num-packets 3
    frequency 10
    sla monitor schedule 123 life forever start-time now
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs group1
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    !
    track 1 rtr 123 reachability
    no vpn-addr-assign local
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    vpdn group PPPoE_DirectConnect request dialout pppoe
    vpdn group PPPoE_DirectConnect localname DOMAINas
    vpdn group PPPoE_DirectConnect ppp authentication pap
    vpdn username DOMAINas password *********
    dhcpd auto_config outside
    !
    dhcpd address 10.0.0.10-10.0.0.39 dmz
    dhcpd dns xxx.yyy.187.1 xxx.yyy.187.2 interface dmz
    dhcpd lease 6000 interface dmz
    dhcpd enable dmz
    !

    ntp server 64.0.0.2 source outside
    group-policy DOMAIN_VPN internal
    group-policy DOMAIN_VPN attributes
    dns-server value 192.168.0.150
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
    default-domain value DOMAIN.local
    vpn-group-policy DOMAIN_VPN
    tunnel-group DOMAIN_VPN type ipsec-ra
    tunnel-group DOMAIN_VPN general-attributes
    default-group-policy DOMAIN_VPN
    dhcp-server Server1
    tunnel-group DOMAIN_VPN ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    class-map imblock
    match any
    class-map P2P
    match port tcp eq www
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map type inspect im impolicy
    parameters
    match protocol msn-im yahoo-im
    drop-connection log
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
    policy-map type inspect http P2P_HTTP
    parameters
    match request uri regex _default_gator
    drop-connection log
    match request uri regex _default_x-kazaa-network
    drop-connection log
    match request uri regex _default_msn-messenger
    drop-connection log
    match request uri regex _default_gnu-http-tunnel_arg
    drop-connection log
    policy-map IM_P2P
    class imblock
    inspect im impolicy
    class P2P
    inspect http P2P_HTTP
    !
    service-policy global_policy global
    service-policy IM_P2P interface inside
    prompt hostname context

    : end
Working...
X