cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21045
Views
38
Helpful
49
Replies

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failover on ASA Firewall

ciscomoderator
Community Manager
Community Manager

Read the bio with

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn expert tips on how to configure and troubleshoot Network Address Translation (NAT) and Failover on Cisco ASA Firewalls with Cisco Expert Amitashwa Agarwal. Amitashwa is a senior customer support engineer  and technical lead at the Cisco Technical Assistance Center in Bangalore, India. He works with the Security Firewall team, where his areas of expertise include configuring and troubleshooting issues related to firewall, VPN, and AAA technology. He holds a bachelor's degree in computer science from the University of Pune, India, and holds CCSP and CCIE certifications in Security (#22164).

Remember to use the rating system to let Amitashwa know if you have received an adequate response.

Amitashwa might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

49 Replies 49

dianewalker
Level 1
Level 1

Amitashwa,

We have two ASA's 5540.  We are setting up Load Balancing (Active/Active). Load Balancing works great with Cisco VPN client.  However, is it possible to setup Load Balancing for Site-to-Site VPN?

Thank you.

Diane

Hi Diane,

Based on the description that you have provided it is more of a question related to VPN load balancing rather than Active/Active failover on ASA. However, to answer your query VPN load-balancing/clustering is only supported for remote access WebVPN and IPSec on ASA. It is unfortunately not supported for Site-to-Site VPN on ASA.

Let me know in case of further questions or concerns.

Regards,

Amitashwa

luismorales31
Level 1
Level 1

Greeting,

We have two ISP connected to an ASA 5510 and we have configured one as the primary and the other one as a backup. I'd like to know if there is a way that, with the ASA, we can do load balancing across both ISPs.

Thanks in advanced,

Luis

Hi Luis,

Load-balancing using dual-ISPs is not possible on ASA platforms. However, you can still failover to another ISP in the event your primary ISP fails using the SLA monitoring feature on the ASA.

Here's a link which explains ISP fallback on ASA :

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Also, please refer to the link given below to understand the other options that you have in case of dual ISP's on ASA:

https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have

Hope it helps. Let me know in case of any questions or concerns.

Regards,

Amitashwa

Mohamed Sobair
Level 7
Level 7

Hello Amitashwa,

I have the following two questions:

(1) I have an ASA firewall running code 7.2 (3), Active/Standby Setup. Now, with this FW I have multiple Zones but my concerns only on this question about Three Zones.

     From inside to Outside, I have an IPsec Tunnel with a client , my internal Network is (172.19.25.0/24 - 172.20.168.0/22), the Client Network is (172.17.5.0/24 & 172.17.6.0/24). Now The Tunnel is Active and both Networks are reachable in both direction.

     From the Inside to (ASD_VPN) , another Zone, I have normal PAT, Some of My Internal Networks are able to reach Network 10.254.0.0/16 using PAT, thats is also OK.

     my problem is that, My client on the outside Zone network (172.17.5.0/24) needs to reach Network 10.254.0.0/16 which is located on the ASD_VPN Zone, I am not able to successfully made this reachability up. I have permited and added (10.254.0.0/16) in the Interesting Traffic and Nat (0), and have allowed and added the required permit statement in the outside Access-list , yet without positive results.

what I exactyly need is to permit Network 172.17.5.0/24 to be Natted after its decrybted by the IPsec, and vice vers for the returned path, I need to encrypt 10.254.0.0/16 when going back to the clinet Network 172.17.5.0/24.

Is this kind of Scenario Possible?

Please refer to my Simple Connectivity diagram and Partial config I have attached.

(2) I need to have SSL VPN client installed on this ASA, what I understood, is that my current ASA version doesnt support SSL VPN client, what is the exact code to implement this feature? what are the licensing categories for this feature? and please provide me with reference documnet to set it up (other Than using ASDM).

Appreciate your Answer,

Regards,

Mohamed

Hi Mohamed,

Please find the answers to your questions below:

1]

From the description that you have provided I  understand that you want users on remote subnet 172.17.5.0/24 to be able  to access subnet 10.254.0.0/16 across a L2L tunnel terminating on the  outside interface of your ASA. Also, you want the remote subnet users to  get PATTED to the ASD_VPN interface ip before they can access the  10.254.0.0/16 subnet.

You can achieve the objective stated above by doing the following configuration on the ASA:

access-list 101 permit ip 10.254.0.0 255.255.0.0 172.17.5.0 255.255.255.0

nat (ASD_VPN) 0 access-list 101

nat (outside) 2 172.17.5.0 255.255.255.0 outside

global (ASD_VPN) 2 interface

However, you need to make sure that the traffic  destined for 172.16.5.0/24 subnet from 10.254.0.0/16 is part of the  crypto ACL to the remote peer on the ASA and the reverse of it is  configured at the remote end.

Also, this traffic flow will only work when traffic  would be initiated from the remote subnet i.e 172.16.5.0/24 as it is  getting PATTED on the ASA.If you would like this traffic flow to work  bidirectionally then get rid of the "nat (outside)" statement from the  configuration which will in turn not PAT the traffic coming in from  172.17.5.0/24 to the ASD_VPN interface ip before going to 10.254.0.0  subnet.

2] This question is outside the scope of this  discussion however I will still answer your basic query on it. I would  appreciate if you could raise further questions on it in the VPN forum  on CSC.

ASA 7.2.3 does support SSL VPN client in full mode  however it does not support AnyConnect VPN. AnyConnect is supported from  8.x. Please refer to the link given below to check the SSL VPN client  configuration on ASA on 7.x:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/svc.html

By default, Cisco provides a two-user complimentary  SSL VPN license on all supported ASA devices. However, you will have to  purchase a license if you want more SSL users to be supported on the  ASA.

Hope this helps.

Regards,

Amitashwa

Amitashwa,

1) I have actually tried what you have suggested before,  but with no positive result.

I am not allowing for bidirectional communication through PAT, the Traffic should always be intiated from my ASA, however,  using a packet tracer shows the packet flow but the packet is being dropped due to (IPsec Spoof detected).

Still my question remains, My IPsec Tunnel is Over the Internet , so the client 172.17.5.0 traffic is encrypted when it reaches my Internal Network, while I am Patting my Internal & Outside Network 172.17.5.0/24 to the client 10.254.0.0/16.

As I said, The packet tracer shows no deny for any rule, but the traffic still being dropped and the reason is (IPsec spoof detected). 

Do you have any suggestion for this result?

2) for the Second question, Thanks for your input.

Regards,

Mohamed

Hi Mohamed,

I understand that you have the following setup with a L2L tunnel between the ASA and the remote peer:

         inside       outside

       ---------ASA -------------------Internet ---------------------------Remote Peer ----------------172.17.5.0/24

                  | ASD_VPN

                  |

               10.254.0.0/16

And here is what you want to achieve:

"what  I exactyly need is to permit Network 172.17.5.0/24 to be Natted after  its decrybted by the IPsec, and vice versa for the returned path, I need  to encrypt 10.254.0.0/16 when going back to the clinet Network  172.17.5.0/24."

I would appreciate if you could provide me the following information to help you further :

1] When you say that you want to permit Network 172.17.5.0/24 to be Natted after  its decrybted by the IPsec, what exactly do you mean? Do you mean to say that you want the decrypted traffic (from 172.17.5.0/24 subnet to 10.254.0.0/16) to get PATTED to the ASD_VPN interface before it actually gets to the 10.254.0.0/16 subnet?

2] When you say "....and vice versa for the returned path, I need  to encrypt 10.254.0.0/16 when going back to the clinet Network  172.17.5.0/24" I understand that you only want this traffic to go through the tunnel to the remote side. Correct me if I have misunderstood anything here.

3] Output of the packet tracer command from the ASA.

4] Output of "show cry isa sa" and "show crypto ipsec sa peer

Thanks,

Amitashwa

Hi Amitashwa,

I am attacing here the output of what you have requested including the packet tracer output from both OUTSIDE and ASD_VPN interfaces.

with regard to your questions,

1) Your understanding is correct.

2) your understanding is correct.

Just one Note, The traffic flow should always be inititated from the client 172.17.5.0/24 to Network 10.254.0.0/16. Howev er, its still not getting positive results.

Regards,

Mohamed

Hi Mohamed,

Packet tracer is not the  right way to test this traffic flow as the packet getting generated  using it would be clear text from outside to ASD_VPN and this might  result in IPSEC SPOOF detected message. Therefore I would like you to  actually do a ping from 172.17.5.0/24 to 10.254.0.0/16 to test the  connectivity. Also, if my understanding of the problem is correct then  the commands that I suggested earlier are the only one's that we need to  achieve the desired result.

Please let me know if you have the following command configured on the ASA:

nat (outside) 2 172.17.5.0 255.255.255.0 outside -- outside keyword at the end is important here

Regards,

Amitashwa

Amitashwa,

As soon as I type the command you are proposing: nat (outside) 2 172.17.5.0 255.255.255.0 outside, I lose connection to the peer.

I mean the Ipsec tunnel is still Active, however, No traffic (Pings for example) for any of the interesting traffic to Network 172.17.5.0/24 works AT ALL. So the traffic gets dropped.

When I remove it, all traffic get back to normal.

Any Clue,

Regards,

Mohamed

Mohamed,

Do you see any syslog related to translation failed after applying the proposed NAT command? Try using this NAT command instead and let me know how it goes:

access-list 101 permit ip 172.17.5.0 255.255.255.0 10.254.0.0 255.255.0.0

nat (outside) 2 access-li 101 outside

Regards,

Amit

Amit,

With the ACL associated with NAT, it worked like a charm!!!  I just have one question for you:

1- While using nat (outside) 2 172.17.5.0 255.255.255.0 , I did it before without adding  the "outside" keyword in the end and thought it should bring up the connection while it didnt.  So the question, what is the (outside) keyword actually does here in the end of this nat statement.

For the ACL NAT, I relized because doing it with the Network command would nat all traffic sourced from Network 172.17.5.0/24 coming from outside regardless of its destination which in the end result in the IPsec spoof and the firewall dropps the packet.

Thanks for your time to answer my question,

BTW, I have given you full rate as deserved.

Regards,

Mohamed

Mohamed,

It is good to know that everything has started working for you now.

"nat" command upto 8.2 is only used to translate the source and is always applied on the higher security level interface of the firewall however when we want to translate the source of the traffic going from low to high security level that is when we need to apply the nat command with the "outside" keyword to the low security level interface along with a corresponding "global" command on the high security level interface. Since, in your case the requirement was to translate the source of the decrypted traffic going from low to high security level we needed this keyword along with the nat command.

Also, when we were not using the ACL with the "nat outside" command it was looking to translate any traffic sourced from 172.17.5.0 to anywhere on the inside and since we did not have a matching "global (inside) 2 " command applied on the inside interface, this traffic was getting dropped on the firewall. 

Regards,

Amit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: