Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1384
Views
0
Helpful
5
Replies

2 ISP's, One for site to site VPN and other for Internet. Can't access internet for some reason?

abrrymnvette
Level 1
Level 1

‎04-02-2014 11:10 AM

I have two ISP's and am having an issue when I setup the routing to send all the internet traffic out the second ISP and site-to-site traffic out the first ISP. I'm setup exactly like this guide.

http://oasysadmin.com/2013/06/14/cisco-asa-with-dual-isps-one-for-internet-and-one-for-vpn-example/

My DHCP is assinging me the DNS server in my remote office, like it should. So, to get to the internet, I query a DNS server at 10.2.2.0/24, then I should be going out 192.168.1.1 to get the website. But, for some reason it's not doing that. I can see my machine querying the DNS server and see the response, but then I can't see anything about it not pulling up the page. To make matters worse, I'm in a different office and can't see the actual IE screen the user is getting.

 

 

Here's the NAT and routes

 

global (ISP1) 1 interface
global (ISP2) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ISP2) 0 access-list ISP2_nat0_outbound
nat (ISP2) 2 0.0.0.0 0.0.0.0

route ISP1 0.0.0.0 0.0.0.0 192.168.1.254 1
route ISP2 10.2.2.0 255.255.255.0 172.16.1.254 1
route ISP2 172.16.2.0 255.255.255.0 172.16.1.254 1


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.255.255.0
!
interface Vlan2
 nameif ISP1
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan12
 nameif ISP2
 security-level 0
 ip address 172.16.1.1 255.255.255.0

 

 

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list ISP1_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list ISP2_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Labels:
0 Helpful
5 Replies 5

jj27
Spotlight
Spotlight

‎04-02-2014 12:43 PM

Can you post your actual configuration? To me, without further info, you probably do not have the correct NAT setup for your internet routed traffic.

0 Helpful

Marius Gunnerud
VIP
VIP

‎04-03-2014 01:34 AM

so is the user able to ping the DNS server?

Is the DNS request resolving and HTTP traffic is just not sent out the ISP1?

If you issue a nslookup google.com command from the PC, does this resolve correctly?

You say in your post that you want to send VPN out the first ISP and internet out the second ISP.  Not sure if this is just a wrong wording in relation to your configuration, but in your config you have set up internet out ISP1 and VPN out ISP2.  Could you clarify this please.

As mentioned by jjohnston please post a full running config (sanitised).

Also, just an observation, the nat0 is only applied in an inbound direction so the nat0 you have configured on the ISP2 interface is redundant and should be removed.  In addition to this, if you are not using the ISP2 for internet then the dynamic NAT you have configured for it is also not needed...unless this is also used as a backup link.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

abrrymnvette
Level 1
Level 1

‎04-04-2014 05:12 AM

Here you go. Yes, they can query DNS and I can see DNS responding to the query's. 

 

EDIT: Removed the config

0 Helpful

Marius Gunnerud
VIP
VIP
In response to abrrymnvette

‎04-04-2014 05:12 AM

Your config on this ASA looks fine, and considering you say you are resolving dns requests correctly is another sign it is ok.  Do you see anything in the logs that could be indicating there is a drop due to a configured rule or similar?

Good that the DNS server is responding to the query, but is that query reaching the host again?  Could be a misconfiguration on the remote end, doubtful, but worth checking also.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

abrrymnvette
Level 1
Level 1

‎04-07-2014 01:33 PM

Figured out the issue. I just needed a day to not look at it and when I logged in the next morning, it was staring me in the face. Problem was my NAT was incorrect. I was doing the NAT wrong. 

 

Had to change: nat (inside) 1 0.0.0.0 0.0.0.0

TO: nat (inside) 2 0.0.0.0 0.0.0.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents