PAT problem with ASA5520

Unanswered Question
Apr 28th, 2008

I have a 5520 that is having issues. I have one Dynamic NAT for a few different inside networks to one public IP. Also, included in my block of public IP's i have a few static one to one NAT's. The problem is i recently added another ISP. I configured one of my ASA interfaces with the IP the new ISP gave me. I created a PAT for ONE of my inside networks to that one new public IP. So basically i have two ISP's connected to my ASA. One for my normal network and one for a special vlan. When i try to get out to the internet i can't. When i look at the logging on the ASA it is coming back "PORTMAP TRANSLATION CREATION FAILED" I have NAT CONTROL on. When i turn it off the portmap error goes away but i still can't get out. Please....any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rkalia1 Mon, 04/28/2008 - 06:51

This is a dual ISP scenario. You may have to use Policy-based routing (PBR) at the edge router for ISP1 and divert traffic meant to go through the IPS2 router. This is because ASA can use only one default route to the outside. Connect the ISP2 router also on the same outside segment as the IPS1 router. Use VLANs on the ASA outside interface. You will also have to route the return traffic properly on the ISP routers.

cowetacoit Mon, 04/28/2008 - 07:27

I have a Cisco 4506 as my core > ASA5520 > FAST HUB > Edge Router to ISP1. We added a second ISP. That router is physically someplace else, but i have it on a layer 2 vlan trunked back to the data center. It is like it is plugged into the ASA. Can you please elaborate on how to set this up a little more. I'm confused about the default route going to my edge router. I have one subnet that is access by the public, and i need it to go through the new ISP. Thats it. ISP2 isn't a back up or there for redundancy.

rkalia1 Mon, 04/28/2008 - 10:20

You can try as under. I have not tried it yet.

1)Connect IPS2 router also on the FAST HUB.

2)Dont use another interface on the ASA for the ISP2.

3)On the ISP1 router create a trunk i.e. make 2 sub-interfaces on the fastethernet. One sub-int should have IP in the ISP1 range and the other in the ISP2 range.

4)On the ASA create wo logical VLAN interfaces with nameif OUTSIDE1 and nameif OUTSIDE2. Give a public IP to OUTSIDE1 int in ISP1 range and the other in ISP2 range.

5)PAT/NAT your new VLAN to OUTSIDE2 IP.

6)Now on ISP1 router create a Route Map to divert the traffic coming from ASA with source IP as PATed to ISP2 range IP to ISP2 router's ehternet interface.

7)Apply this route map on the appropriate fastethernet sub-int (with IP in ISP2 range)on ISP1 router.

8)Put a route on ISP1 router for any traffic having destination IP in the range of ISP2 router to send it to OUTSIDE2 interface of ASA. This is for the return traffic coming from ISP2 side.

9)Put a route on ISP2 router to send all traffic with destination IP in the range of ISP2 to ISP1 router's fastethernet sub-int having IP in the range of ISP2.

For this you will have to create the VLANs on the FAST HUB too and assign appropriate ports to those VLANs for the ISP1 and ISP2 routers and also the ASA.

Looks crazy stuff. But might work. I dont know of anybody yet who has tried working with 2 ISPs on an ASA and both links being used at the same time.

Actions

This Discussion