Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA with two ISPs

I have two ISPs but I don't want to setup a backup route I want to route all my internet traffic out the secondary outside interface but without losing the first outside interface because I have all of my static IP addresses on the first outside interface.  Any ideas?

Everyone's tags (1)
3 REPLIES
New Member

Hi Nelson,Could you please

Hi Nelson,

Could you please provide the current configuration of the ASA (especially the routes configured in ASA).

Regards,

Thomas

New Member

sh run: Saved:ASA Version 8.4

sh run
: Saved
:
ASA Version 8.4(1)
!
hostname fw254
domain-name testnj.org
enable password ?? encrypted
passwd ?? encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.17.0.254 255.255.255.0
!
interface Vlan2 (T1)
 nameif outside
 security-level 0
 ip address ??.??.??.98 255.255.255.240

interface vlan3 (CABLE MODEM)
 nameif outside1
 security-level 0
 ip address ??.??.??.52 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!


interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name testnj.org
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.17.0.0_16
 subnet 172.17.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.0.0_16


 subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_172.17.2.0_25
 subnet 172.17.2.0 255.255.255.128
object network NETWORK_OBJ_192.168.3.0_24
 subnet 192.168.3.0 255.255.255.0
object network te-test
 host 172.17.12.12
object network Barracuda
 host 172.17.8.17
 description Barracuda Spam Appliance  
object network EXCH-2010
 host 172.17.8.13
 description Exchange 2010 Server  
object network 192.168.4.0
 subnet 192.168.4.0 255.255.255.0
object network 192.168.5.0
 subnet 192.168.5.0 255.255.255.0
object network dex_Server
 host 172.17.8.14
object service RDP
 service tcp destination eq 3389
object-group service testRDP tcp
 port-object eq 3389
 port-object eq 5389


 port-object eq 6389
 port-object eq 8390
 port-object eq 8989
 port-object eq 8990
access-list outside_1_cryptomap extended permit ip 172.17.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list testVPNGroup_splitTunnelAcl standard permit 172.17.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Barracuda eq smtp
access-list outside_access_in extended permit tcp any object Barracuda eq pop3
access-list outside_access_in extended permit tcp any object Barracuda eq ssh
access-list outside_access_in extended permit tcp any object EXCH-2010 eq https
access-list outside_access_in extended permit tcp any object EXCH-2010 eq www
access-list outside_access_in extended permit object RDP any object dex_Server
access-list outside_access_in remark test RDP ports, close 3389 soon. GTR 5/14/2011
access-list outside_access_in extended permit tcp any object te-test object-group testRDP
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit ip host ??.??.??.180 host ??.??.??.99 inactive
access-list testVPN_SplitTunACL remark test Internal Network River
access-list testVPN_SplitTunACL standard permit 172.17.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool2 172.17.2.10-172.17.2.100 mask 255.255.255.0


no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_16 NETWORK_OBJ_172.17.0.0_16 destination static NETWORK_OBJ_192.168.0.0_16 NETWORK_OBJ_192.168.0.0_16
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_16 NETWORK_OBJ_172.17.0.0_16 destination static NETWORK_OBJ_172.17.2.0_25 NETWORK_OBJ_172.17.2.0_25
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_16 NETWORK_OBJ_172.17.0.0_16 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24
!
object network obj_any
 nat (inside,outside) dynamic interface
object network te-test
 nat (any,any) static ??.??.??.99
object network Barracuda
 nat (any,any) static ??.??.??.101
object network EXCH-2010
 nat (any,any) static ??.??.??.100
object network Munidex_Server
 nat (any,any) static ??.??.??.102
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ??.??.??.97 1
route outside1 0.0.0.0 0.0.0.0 ??.??.??.51 2
route inside 172.17.0.0 255.255.0.0 172.17.0.1 1
route inside 192.168.3.0 255.255.255.0 172.17.0.1 1
route inside 192.168.4.0 255.255.255.0 172.17.0.1 1


route inside 192.168.5.0 255.255.255.0 172.17.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer ??.210
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer ??.114


crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=fw254
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate a487384d
    308201c3 3082012c a0030201 020204a4 87384d30 0d06092a 864886f7 0d010105
    05003026 310e300c 06035504 03130566 77323534 31143012 06092a86 4886f70d
    01090216 05667732 3534301e 170d3131 30313231 32313435 31375a17 0d323130
    31313832 31343531 375a3026 310e300c 06035504 03130566 77323534 31143012
    06092a86 4886f70d 01090216 05667732 35343081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100a5 f386e796 0cee5ca0 d90533b8 2916ef91
    222f0cc1 53d428ba f8c316e1 21d0c760 c2bc56e7 9ff3f56f dac6edf8 880f3842
    3ad84e2c 125e9e3c aef92304 f1ed4f55 9a832c78 73e60924 7af3c30d 2e73b0d4
    eba2b0b2 9c0d6438 0797dd48 1f62b04b 748ca2fe 7fde4d72 2b5ea87e ab223558
    1c4f1e9c e33ba9fd 3e5c68b5 719e6f02 03010001 300d0609 2a864886 f70d0101
    05050003 81810090 9353520d 8725797d 4fafc8dd d5f2702b 019158d6 038a23d9
    a675f0de b9c5e139 36946502 1aea3430 5c76773b 2a4e9b06 6bdb8850 e494dd79
    9b22f25e 6844557d 2b518c9f 4e42f428 90fc2d5b 9b5b0b93 fde76aad dc5cc146
    8a986e1f 115ed3ac 8e077cde 55b445f9 6b6232ab 5b28626d 8d9bd890 3e79d483
    15e28d11 d7b9e2


  quit
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh timeout 30
ssh version 2
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.17.0.150-172.17.0.175 inside
dhcpd dns 4.2.2.2 4.2.2.1 interface inside
dhcpd domain BoE-test.local interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 17.254.0.27 source outside prefer
webvpn


group-policy testVPNGroupPolicy internal
group-policy testVPNGroupPolicy attributes
 dns-server value 172.17.8.10 172.17.8.11
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testVPN_SplitTunACL
group-policy testVPNGroup internal
group-policy testVPNGroup attributes
 wins-server value 4.2.2.1
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testVPNGroup_splitTunnelAcl
 default-domain value test.com
username edgefd password f8.apWxtIP/hKDsD encrypted
username edgefd attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username edgevpnuser3 password ?? encrypted privilege 0
username edgevpnuser3 attributes
 service-type remote-access
username edgevpnuser2 password ?? encrypted privilege 0
username edgevpnuser2 attributes
 vpn-group-policy testVPNGroupPolicy


 service-type remote-access
username vpnuser1 password ?? encrypted privilege 0
username vpnuser1 attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username MikeS password ?? encrypted
username MikeS attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username mikeb password ?? encrypted
username mikeb attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username gregf password ?? encrypted
username gregf attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username support password ?? encrypted
username support attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username testSupport password ??V encrypted privilege 0
username testSupport attributes
 vpn-group-policy testVPNGroup


username 3c password ?? encrypted privilege 15
username VOIPAdmin password ?? encrypted
username VOIPAdmin attributes
 vpn-group-policy testVPNGroup
 service-type remote-access
username tomq password 8w.fOfnulq35.YH6 encrypted
username tomq attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
username thomasj password ?? encrypted
username thomasj attributes
 vpn-group-policy testVPNGroupPolicy
 service-type remote-access
tunnel-group 67.154.126.210 type ipsec-l2l
tunnel-group 67.154.126.210 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group testVPNGroup type remote-access
tunnel-group testVPNGroup general-attributes
 address-pool ippool2
 default-group-policy testVPNGroup
tunnel-group testVPNGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group ??.??.??.114 type ipsec-l2l
tunnel-group ??.??.??.114 ipsec-attributes


 ikev1 pre-shared-key *****
tunnel-group testTunnelGroup type remote-access
tunnel-group testTunnelGroup general-attributes
 address-pool ippool2
 authorization-server-group LOCAL
 default-group-policy testVPNGroupPolicy
tunnel-group testTunnelGroup ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
class-map global
class-map inspection-default
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp


  inspect sip  
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!
service-policy global-policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:db60cb0da92371c17771b2fb8f576f18
: end

fw254#         

VIP Green

This solution is not

This solution is not recommended but it is a way to get to the solution you want.  Keep in mind that by doing the following you will be creating a security risk.

You can configure TCP bypass on the ASA.  This will allow the ASA to perform asynchronous routing so that you can receive traffic on interface "outside" and then route the return traffic through "outside1".  TCP bypass tells the ASA to ignor the connection state of packets allowing asynchronous routing.  Please refer to the following link for more information and how to configure TCP bypass:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
104
Views
0
Helpful
3
Replies
CreatePlease to create content