Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
2
Replies

ASA5505 dual isp setup - missing something very simple?

Go to solution
helmutspindler
Level 1
Level 1

‎07-09-2014 01:26 AM - edited ‎03-11-2019 09:26 PM

Hi,

I have a small business network with an ASA 5505 (Security Plus) and a static external IP for internet access used for VPN. That works fine, but as the speed is relatively low we decided to buy a consumer internet line with 4 times the bandwidth (dynamic IP). My idea was that the new internet line should be the primary one for outgoing connections, while the existing line should be the backup line (SLA check), as referred to in http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html

I think I know how to setup the routes and their metric and also the SLA monitor, however, I have a more basic problem: I am not able to get the new line running - I guess I have made a small mistake somewhere.

I have three interfaces:

- inside
- outside (the old internet line with static ip)
- upc (the new interface with the new line)


As the new line has a dynamic IP address and its standard gateway is changing, I put the provider's router on interface "upc", so I can address a static gateway IP. The configuration of this router is:

Router IP: 10.0.0.1
DHCP Range 10.0.0.100 - 150
DMZ: 10.0.0.2

My interface "upc" has the IP address 10.0.0.2 and the static route is 10.0.0.1. Now here's the problem: As soon as I set the metric of this route to be the primary one, I am not able to access the internet from the inside. So the ASA fails to get my inside hosts into the internet via this route. If I connect with a computer to the router directly it works fine, so I am sure the router is not the problem.

Probably there is some very simple NAT issue am missing here. Do you have any ideas why my configuration does not work? Please find my configuration attached - I am using ASDM to configure the ASA - I have removed the VPN part and XX'ed my external ip.

Thank you!

Labels:
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-09-2014 02:01 AM

Hi,

 

On a quick glance it seems that you are simply doing Dynamic PAT for your LAN traffic towards the UPC interface. This should already mean that the router behind UPC interface should only see traffic coming from the directly connected network and therefore no additional routing should be required.

 

As always I would suggest using "packet-tracer" command to confirm what the ASA would do to a connection that is supposed to go through the UPC interface. This should usually tell if there is some configuration related problem.

 

For example

packet-tracer input inside tcp 192.168.1.100 12345 8.8.8.8 80

 

This should give some picture what NAT configuration is applied and also show if the traffic would pass or get dropped by the firewall.

 

If this problem is not caused by a missconfiguration I would consider the possibility that the DNS servers that you are using on your "inside" interface DHCP configuration might not be reachable through the consumer line?

 

You could for example try the Google DNS servers. Think they were 8.8.4.4 and 8.8.8.8 atleast.

You could also try to PING these target addresses. For this I would suggest checking that you have "inspect icmp" and "inspect icmp error" configured under your default "policy-map" configurations

 

Hope this helps :)

 

- Jouni

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-09-2014 02:01 AM

Hi,

 

On a quick glance it seems that you are simply doing Dynamic PAT for your LAN traffic towards the UPC interface. This should already mean that the router behind UPC interface should only see traffic coming from the directly connected network and therefore no additional routing should be required.

 

As always I would suggest using "packet-tracer" command to confirm what the ASA would do to a connection that is supposed to go through the UPC interface. This should usually tell if there is some configuration related problem.

 

For example

packet-tracer input inside tcp 192.168.1.100 12345 8.8.8.8 80

 

This should give some picture what NAT configuration is applied and also show if the traffic would pass or get dropped by the firewall.

 

If this problem is not caused by a missconfiguration I would consider the possibility that the DNS servers that you are using on your "inside" interface DHCP configuration might not be reachable through the consumer line?

 

You could for example try the Google DNS servers. Think they were 8.8.4.4 and 8.8.8.8 atleast.

You could also try to PING these target addresses. For this I would suggest checking that you have "inspect icmp" and "inspect icmp error" configured under your default "policy-map" configurations

 

Hope this helps :)

 

- Jouni

 

0 Helpful

Go to solution
helmutspindler
Level 1
Level 1
In response to Jouni Forss

‎07-09-2014 08:03 AM

Thanks for the hint with the packet-tracer and the DNS. Indeed it was the DNS server from my service provider, which did not allow me to access its service. Now I have two problems with this dual ISP solution:

1.) I would like to use the DNS servers of my provders, but I can only use the servers when using their internet line. At the moment I manually distribute the DNS servers via the ASA's DHCP Server. I somehow need to tell the ASA that it should deploy the server based on the active route (internet line) used.

Any idea how I could do that? Or can ASA do the job?

 

2.) My users usually connet to the ASA via IPSec VPN on interface "outside", as this one has a static ip address. As soon as I tell the ASA that my new interface "upc" is the dominat static route, it does not react to connections on "outside" anymore but only on "upc". Is ther anything I can do against that? I would like to keep both options for the users...

Thanks for your help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card