Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5515X Dual WAN support

Hi, 

 

Does Cisco ASA 5515-X supports dual WAN? I  have two internet connections from two ISPs

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi Rizwan, Yes it supports

Hi Rizwan,

 

Yes it supports Dual WAN. You can have two internet links configured and use that as primary and backup connections.

 

 

Regards

Karthik

Hall of Fame Super Silver

The examples linked need only

The examples linked need only update the NAT to have nat(inside,outside1) and nat(inside,outside2) statements instead of the two global entries.

All the rest is unchanged between ASA/Pix 7.x/8.x and ASA 9.1

18 REPLIES

Hi Rizwan, Yes it supports

Hi Rizwan,

 

Yes it supports Dual WAN. You can have two internet links configured and use that as primary and backup connections.

 

 

Regards

Karthik

Hall of Fame Super Silver

Yes. There are numerous

Yes. There are numerous threads on this forum and elsewhere on setting this up.

Please see the following:

CSC Document

Cisco configuration example

Youtube demo

 

New Member

Hello Marvin, Please send me

Hello Marvin, 

Please send me configuration according to ASA ios version 9.1 

Hall of Fame Super Silver

The examples linked need only

The examples linked need only update the NAT to have nat(inside,outside1) and nat(inside,outside2) statements instead of the two global entries.

All the rest is unchanged between ASA/Pix 7.x/8.x and ASA 9.1

New Member

Hi Marvin, I am configuring

Hi Marvin, 

I am configuring Remote access EZ VPN, the vpn is connected but I am unable to access LAN from VPN. Please guide me in this regard

New Member

I have configured dual WAN

I have configured dual WAN and PAT with both interfaces but it works only when I shutdown outside1 interface. If the internet is down from ISP it  does not work because it did not get route until I manually shutdown outside1 interface. How I can make it auto switch from Primary to backup?

Hi Rizwan,

Hi Rizwan,

 

You have to use IP Sla and Track to monitor the link failure and fall back....

sla monitor 10
 type echo protocol ipIcmpEcho <ISP Router Interface IP> interface outside
 frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 <ISP1 Rtr IP Address> 1 track 1
route outside2 0.0.0.0 0.0.0.0 <ISP2 Rtr IP Address> 254

 

This will track and auto switch when your isp link fails..... sla monitor ip address can be any ip address of internet site.... here i have used connected isp router interface.... if needed you can use any general public ip address for tracking....

 

Regards

Karthik

New Member

Its already fixed. There was

Its already fixed. There was some issue in SLA config. Thanks Kharthik

New Member

I have another question, If

I have another question, If my Primary link is back, will it switch automatically back to primary link?

New Member

Hi Marvin, Please let me know

Hi Marvin, 

Please let me know if it is possible to operate both WAN links Outside1 and Outside2 at Load balancing instead as primary and backup.  

Hi Rizwan, Unfortunately

Hi Rizwan,

 

Unfortunately cisco ASA doesn't support load balancing..... if you have a site to site vpn.... then you can tweak something on your asa to have general internet traffic going via one link and site to site traffic to go via another.... and each can backup.... but both as active is not possible with present ASA.

 

Regards

Karthik

New Member

I have pool of Public IP

I have pool of Public IP addresses with my both WAN links, I want my DMZ servers to utilize IP addresses from my both WAN links. Is it possible using static NAT? I want to route DMZ servers from both WAN links using static NAT. 

Hi Rizwan, In case if the

Hi Rizwan,

 

In case if the access is from outside to dmz, then no issues, it can be done thru static NAT. I have done a small lab on that and it works.....

 

object network host_wan1
 host 10.0.0.10
object network host_wan2
 host 10.0.0.10
object network host_wan1_nat
 host 1.1.1.3
object network host_wan2_nat
 host 2.2.2.3

!

nat (inside,wan1) source static host_wan1 host_wan1_nat
nat (inside,wan2) source static host_wan2 host_wan2_nat


!

route wan1 0.0.0.0 0.0.0.0 1.1.1.1 1
route wan2 0.0.0.0 0.0.0.0 2.2.2.1 250


!

 

Result:

isp1#ping 1.1.1.3 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 8/10/20 ms
isp1#

 

isp2#ping 2.2.2.3 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/10/28 ms
isp2#

 

dualwanasa(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.0.0.10 to wan1:1.1.1.3
    flags s idle 0:00:08 timeout 0:00:00
NAT from inside:10.0.0.10 to wan2:2.2.2.3
    flags s idle 0:01:25 timeout 0:00:00
dualwanasa(config)

 

 

 

I was able to reach the server from both the links from outside.

 

 

Regards

Karthik

New Member

Hi, Its not working in my

Hi, 

Its not working in my case, please see following configuration. The route from backup (WAN2) is not working with static NAT.  I think you are pinging directly connected interfaces. The reason behind is when I do show route, I can see only one default route from WAN1. 

object network host_WAN1
 host 172.20.58.70
object network host_WAN2
 host 172.20.57.201
object network NAT_host_WAN1
 host 202.x.x.x
object network NAT_host_WAN2
 host 125.x.x.x

nat (inside,outside) source static host_WAN1 NAT_host_WAN1
nat (inside,backup) source static host_WAN2 NAT_host_WAN2

route outside 0.0.0.0 0.0.0.0 202.x.x.x 1
route backup 0.0.0.0 0.0.0.0 125.x.x.x 254

How did you tried it out?

How did you tried it out?

 

Have you tried it to access those dmz servers from outside?.... If so then it should work.... if you access from dmz server to outside it gives the def route based ip.... but it is not the case for inbound traffic....

 

Regards

Karthik

New Member

From WAN2 nat (inside,backup)

From WAN2 

nat (inside,backup) source static host_WAN2 NAT_host_WAN2

The internet was not working on the machine, and it was not getting route to outside. 

Hi Rizwan, That is what i

Hi Rizwan,

 

That is what i have mentioned you can do that for a inbound connectivty to the server.... but if you want to access anything from the dmz server, then you need to have the generic pat rule to allow from dmz to outside access, similar to the PAT rule which you have for inside users to access internet...

can you check by adding the PAT rule?

 

Which will give you the result like this.... anything you access from dmz server to out, which will take the default path and PAT configured.... if anyone accesses it from outside to the server.... they can access at any time.....

 

Regards

Karthik

New Member

I don't need pat rule with

I don't need pat rule with dmz, I need static nat for server and just need to make sure route availability in the routing table. I have PAT and Static rule but my server traffic is going through PAT rule instead static nat rule. 

 

C    172.20.0.0 255.255.0.0 is directly connected, inside
S    125.x.x.219 255.255.255.255 [1/0] via 125.x.x.209, backup
C    125.x.x.208 255.255.255.240 is directly connected, backup
C    202.x.x.128 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 202.x.x.129, outside

You can see only one default route in the routing table, I have also defined a static route S    125.x.x.219 255.255.255.255 [1/0] via 125.x.x.209, backup but its not working. 

980
Views
0
Helpful
18
Replies