Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Using multiple outside interface on ASA 5520

Hi Moderator,

I have the following query with regards to Firewall.

1) Will global nat forward the traffic to respective gateways of ISP i.e Global ID 13, should always forward to 100.X.X.X and 14 should 200.X.X.X  through default route.

2) In the event of primary internet goes down, what are the challenges ? assuming i have ISP independent public IP pool.

Thanks in advance.

S Kumar

*********Config START************************************

interface Gi0/0
description Primary Internet
nameif outside
security-level 0
ip address 100.X.X.X 255.255.255.0
!
interface Gi0/1
description Secondary Internet
nameif outside-2
security-level 0
ip address 200.X.X.X 255.255.255.0

!
interface Gi0/2
description Corporate network
nameif INSIDE
security-level 100
ip address 10.10.10.1 255.255.255.0

route inside 10.10.20.0 255.255.255.0 10.10.10.10 1
route inside 10.10.30.0 255.255.255.0 10.10.10.10 1

!
global (outside) 13 100.X.X.X
global (outside) 14 200.X.X.X

nat (inside) 13 10.10.20.0 255.255.255.0
nat (inside) 14 10.10.30.0 255.255.255.0


route outside 0.0.0.0 0.0.0.0 100.X.X.X
route outside 0.0.0.0 0.0.0.0 200.X.X.X
************Config-END*********************************

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Using multiple outside interface on ASA 5520

Kumar,

You can use any IP address on the ASA to translate. An interface doesn't have to be configued on the ASA to be able to use the IP block for translation. You can just use a private ip subnet between the ASA and the Router.

Like I discussed on that previous thread, you can use ISP1 block one for all dynamic nat translations and use ISP2 block IP for all static nat translations - all on the ASA.  Then the router will look at the packet if it has source address provided by ISP1 (after translation from the ASA) then it will send the packet via ISP1 link and if the packets have the source address of ISP2 (after translation from the ASA) provided address then it will send the packets via ISP2 link. This can be configued using PBR - route maps and setting the next hop on the router.

-KS

Cisco Employee

Re: Using multiple outside interface on ASA 5520

So long as the router can translate the ASA's outside interface statically (1-1) to a routable address, I don't see why not.

-KS

8 REPLIES
Cisco Employee

Re: Using multiple outside interface on ASA 5520

Kumar,

I believe you meant

route outside-2 0.0.0.0 0.0.0.0 200.X.X.X and not route outside 0.0.0.0 0.0.0.0 200.X.X.X

In either case the ASA can only load balance up to 3 default GW out the SAME interface not out diff. interfaces.

You need to do PBR (Policy Based Routing) using a Layer 3 device on the outside.

Pls. read this thread where I have answered this in the past: https://supportforums.cisco.com/message/894920

You can also do SLA route tracking: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

-KS

New Member

Re: Using multiple outside interface on ASA 5520

Hi Kusankar,

Thanks for your reply and correction as follow.

route outside-2 0.0.0.0 0.0.0.0 200.X.X.X

I would like to load balance outbound traffic based on Global nat.

I.e Few vlans would use global nat 13 to forward traffic to OUTSIDE (interface)

and remaining vlan would use global nat 14 to forward traffic to OUTSIDE-2 (interface)

In the event of outage at primary ISP, both Global nat 13 and 14 should use the OUTSIDE-2 (interface)

Would this workout practically ?

Thanks

Kumar

Cisco Employee

Re: Using multiple outside interface on ASA 5520

Yes, only in the scenario that I mentioned on the thread link that I enclosed. Pls. read that. You cannot add two default routes on the ASA pointing to two diff. interface.  It does not work.

                                   Outside

                                     /

inside---ASA---Rourter/

               |                    \

            DMZ                 \

                                  Outside-2

-KS

New Member

Re: Using multiple outside interface on ASA 5520

Thanks kusankar,

Since i have two different public pool, how will it accomadate two IP network between ASA <-----to------> Router ?

As, asa does not seems to support sub-interface, or secondary command.

Thanks,

Kumar

Cisco Employee

Re: Using multiple outside interface on ASA 5520

Kumar,

You can use any IP address on the ASA to translate. An interface doesn't have to be configued on the ASA to be able to use the IP block for translation. You can just use a private ip subnet between the ASA and the Router.

Like I discussed on that previous thread, you can use ISP1 block one for all dynamic nat translations and use ISP2 block IP for all static nat translations - all on the ASA.  Then the router will look at the packet if it has source address provided by ISP1 (after translation from the ASA) then it will send the packet via ISP1 link and if the packets have the source address of ISP2 (after translation from the ASA) provided address then it will send the packets via ISP2 link. This can be configued using PBR - route maps and setting the next hop on the router.

-KS

New Member

Re: Using multiple outside interface on ASA 5520

Hi Kusankar,

As said, having configured private IP between ASA and Router, Will i be able to terminate Site to Site VPN or Remote VPN on ASA ?

Thanks,

Kumar.

Cisco Employee

Re: Using multiple outside interface on ASA 5520

So long as the router can translate the ASA's outside interface statically (1-1) to a routable address, I don't see why not.

-KS

New Member

Re: Using multiple outside interface on ASA 5520

Hi ,

 

I am plaiing to do the Primary and Backup setup on ASA , how the when primary fail over to backup

what will happen to all NAT config

 

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static FR-abc-company-Network FR-abc-company-Network destination static BE-abc-company-Network BE-abc-company-Network no-proxy-arp route-lookup
2 (inside) to (outside) source static FR-abc-company-Network FR-abc-company-Network destination static US-abc-company-Network US-abc-company-Network no-proxy-arp route-lookup
4 (inside) to (outside) source static FR-abc-company-Network FR-abc-company-Network destination static SG-abc-company-Network SG-abc-company-Network no-proxy-arp route-lookup

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-10.22.0.99 178.132.22.10
2 (Guest) to (outside) source dynamic Guest-Network interface
3 (inside) to (outside) source dynamic obj_any interface


Do I need to created another setup of Manual and Auto NAT rules for "backup" outside interface

Manual NAT Policies (Section 1)
1 (inside) to (backup) source static FR-abc-company-Network FR-abc-company-Network destination static BE-abc-company-Network BE-abc-company-Network no-proxy-arp route-lookup
2 (inside) to (backup) source static FR-abc-company-Network FR-abc-company-Network destination static US-abc-company-Network US-abc-company-Network no-proxy-arp route-lookup
4 (inside) to (backup) source static FR-abc-company-Network FR-abc-company-Network destination static SG-abc-company-Network SG-abc-company-Network no-proxy-arp route-lookup

Auto NAT Policies (Section 2)
1 (inside) to (backup) source static obj-10.22.0.99 192.135.20.10
2 (Guest) to (backup) source dynamic Guest-Network interface
3 (inside) to (backup) source dynamic obj_any interface

 

8924
Views
5
Helpful
8
Replies
CreatePlease to create content