Solved: ASA 5515X Dual WAN support

Rizwan · ‎07-20-2014

Hi,

Does Cisco ASA 5515-X supports dual WAN? I have two internet connections from two ISPs

nkarthikeyan · ‎07-20-2014

Hi Rizwan,

Yes it supports Dual WAN. You can have two internet links configured and use that as primary and backup connections.

Regards

Karthik

View solution in original post

Marvin Rhoads · ‎08-21-2014

The examples linked need only update the NAT to have nat(inside,outside1) and nat(inside,outside2) statements instead of the two global entries.

All the rest is unchanged between ASA/Pix 7.x/8.x and ASA 9.1

View solution in original post

nkarthikeyan · ‎07-20-2014

Hi Rizwan,

Yes it supports Dual WAN. You can have two internet links configured and use that as primary and backup connections.

Regards

Karthik

Marvin Rhoads · ‎07-20-2014

Yes. There are numerous threads on this forum and elsewhere on setting this up.

Please see the following:

CSC Document

Cisco configuration example

Youtube demo

Rizwan · ‎08-19-2014

Hello Marvin,

Please send me configuration according to ASA ios version 9.1

Marvin Rhoads · ‎08-21-2014

The examples linked need only update the NAT to have nat(inside,outside1) and nat(inside,outside2) statements instead of the two global entries.

All the rest is unchanged between ASA/Pix 7.x/8.x and ASA 9.1

Rizwan · ‎08-22-2014

Hi Marvin,

I am configuring Remote access EZ VPN, the vpn is connected but I am unable to access LAN from VPN. Please guide me in this regard

Rizwan · ‎09-04-2014

I have configured dual WAN and PAT with both interfaces but it works only when I shutdown outside1 interface. If the internet is down from ISP it does not work because it did not get route until I manually shutdown outside1 interface. How I can make it auto switch from Primary to backup?

nkarthikeyan · ‎09-04-2014

Hi Rizwan,

You have to use IP Sla and Track to monitor the link failure and fall back....

sla monitor 10
 type echo protocol ipIcmpEcho <ISP Router Interface IP> interface outside
 frequency 5
sla monitor schedule 10 life forever start-time now
!

track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 <ISP1 Rtr IP Address> 1 track 1
route outside2 0.0.0.0 0.0.0.0 <ISP2 Rtr IP Address> 254

This will track and auto switch when your isp link fails..... sla monitor ip address can be any ip address of internet site.... here i have used connected isp router interface.... if needed you can use any general public ip address for tracking....

Regards

Karthik

Rizwan · ‎09-04-2014

Its already fixed. There was some issue in SLA config. Thanks Kharthik

Rizwan · ‎09-04-2014

I have another question, If my Primary link is back, will it switch automatically back to primary link?

Rizwan · ‎08-27-2014

Hi Marvin,

Please let me know if it is possible to operate both WAN links Outside1 and Outside2 at Load balancing instead as primary and backup.

nkarthikeyan · ‎08-27-2014

Hi Rizwan,

Unfortunately cisco ASA doesn't support load balancing..... if you have a site to site vpn.... then you can tweak something on your asa to have general internet traffic going via one link and site to site traffic to go via another.... and each can backup.... but both as active is not possible with present ASA.

Regards

Karthik

Rizwan · ‎08-27-2014

I have pool of Public IP addresses with my both WAN links, I want my DMZ servers to utilize IP addresses from my both WAN links. Is it possible using static NAT? I want to route DMZ servers from both WAN links using static NAT.

nkarthikeyan · ‎08-27-2014

Hi Rizwan,

In case if the access is from outside to dmz, then no issues, it can be done thru static NAT. I have done a small lab on that and it works.....

object network host_wan1
host 10.0.0.10
object network host_wan2
host 10.0.0.10
object network host_wan1_nat
host 1.1.1.3
object network host_wan2_nat
host 2.2.2.3

!

nat (inside,wan1) source static host_wan1 host_wan1_nat
nat (inside,wan2) source static host_wan2 host_wan2_nat

!

route wan1 0.0.0.0 0.0.0.0 1.1.1.1 1
route wan2 0.0.0.0 0.0.0.0 2.2.2.1 250

!

Result:

isp1#ping 1.1.1.3 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 8/10/20 ms
isp1#

isp2#ping 2.2.2.3 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/10/28 ms
isp2#

dualwanasa(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.0.0.10 to wan1:1.1.1.3
flags s idle 0:00:08 timeout 0:00:00
NAT from inside:10.0.0.10 to wan2:2.2.2.3
flags s idle 0:01:25 timeout 0:00:00
dualwanasa(config)

I was able to reach the server from both the links from outside.

Regards

Karthik

Rizwan · ‎08-28-2014

Hi,

Its not working in my case, please see following configuration. The route from backup (WAN2) is not working with static NAT. I think you are pinging directly connected interfaces. The reason behind is when I do show route, I can see only one default route from WAN1.

object network host_WAN1
host 172.20.58.70
object network host_WAN2
host 172.20.57.201
object network NAT_host_WAN1
host 202.x.x.x
object network NAT_host_WAN2
host 125.x.x.x

nat (inside,outside) source static host_WAN1 NAT_host_WAN1
nat (inside,backup) source static host_WAN2 NAT_host_WAN2

route outside 0.0.0.0 0.0.0.0 202.x.x.x 1
route backup 0.0.0.0 0.0.0.0 125.x.x.x 254