12-15-2011 04:03 AM - edited 03-04-2019 02:38 PM
Hello,
I have one ASA 5510, a primary ISP (cable, the single public IP lives on the ASA), and a backup ISP (ADSL, separate router that hosts its single public IP).
I use IP tracking to detect link down on the primary. When I pull the plug on the cable modem and go to "Route monitoring", I can see the ASA's default route is now the backup ISP default route. That conforms with http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#new
Pings to 8.8.8.8 fail however, and when I do a packet trace the ASA complains about the dynamic nat rule that still points to the primary ISP's interface.
Only when I change the existing dynamic NAT rule (on my inside interface) to use the backup ISP's pool (which is a single 192.168.x.y address) , does 8.8.8.8 reply to my pings.
So it kinda works but it's not full auto .
What am I doing wrong ? I can't add a second dynamic nat rule on the same inside interface, nor can I select 2 IP pools in a single dynamic nat rule.
thx
Ward
12-15-2011 04:09 AM
Hi,
I can't add a second dynamic nat rule on the same inside interface, nor can I select 2 IP pools in a single dynamic nat
rule.
Is it a question or a fact ? How is the ASA connected to the router?
Post your topology and config.
Regards.
Alain
12-15-2011 05:52 AM
No it is a fact : I can't.
My interfaces :
The primary ISP :
connected on if0
IP address is "Outside_IP"
cable modem plugged directly into if0, frozen dhcp address, default route tracking enabled.
Backup ISP
connected to if3
IP address is "Backup_IP"
ISP's router is connected directly to if3, router hosts fixed IP address.
Inside
connected to if1
Telindus router (of no concern here, at least I think not)
connected to if2
thx
: Saved
:
ASA Version 8.0(4)
!
hostname asa5510
domain-name xxxx.local
!
interface Ethernet0/0
mac-address 0003.e300.6f2d
nameif Outside
security-level 0
dhcp client route track 4
ip address dhcp setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address xxxxxxxxxxxxx 255.255.255.0
!
interface Ethernet0/2
nameif TO_TELINDUS_RTR
security-level 100
ip address xxxxxxxxxxxxx 255.255.255.0
!
interface Ethernet0/3
nameif Backup
security-level 0
ip address xxxxxxxxxxxxxx 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address xxxxxxxxxxxxxx 255.255.255.0
management-only
!
regex yahoomail "[Yy][Aa][Hh][Oo][Oo][Mm][Aa][Ii][Ll]"
regex Gmail "[Gg][Mm][Aa][Ii][Ll]"
regex hotmail "[Hh][Oo][Tt][Mm][Aa][Ii][Ll]"
!
time-range weekdagen
periodic weekdays 7:00 to 18:59
!
time-range werkuren
periodic daily 8:00 to 12:00
periodic daily 13:00 to 18:00
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server xxxxxxxx
name-server xxxxxxxx
name-server xxxxxxxxxxx
name-server xxxxxxxxxxxxxx
domain-name xxxxxxxxxxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
access-list acl-split-tun extended permit ip object-group DM_INLINE_NETWORK_1 xxxxxxxxxxxxxx 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_3
access-list Outside_access_in extended permit tcp any host Outside_IP object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit ip xxxxxxxxxxxxxx 255.255.255.0 any
access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Inside_access_in extended permit tcp host xxxxxx object-group socialnetworks object-group DM_INLINE_TCP_3
access-list Inside_access_in remark facebook, twitter, netlog
access-list Inside_access_in extended deny tcp any object-group socialnetworks object-group DM_INLINE_TCP_2 time-range werkuren
access-list Inside_access_in extended deny ip any object-group DM_INLINE_NETWORK_5
access-list Inside_access_in extended deny ip object-group xxxxxxxxxxxxxx any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list TO_TELINDUS_RTR_access_in extended permit ip any any log notifications
access-list global_mpc extended permit object-group DM_INLINE_SERVICE_1 Voip_Centrale-network 255.255.255.0 object-group DM_INLINE_NETWORK_9
access-list Outside_nat_outbound_1 extended permit ip xxxxxxxxxx 255.255.255.0 object-group DM_INLINE_NETWORK_10
access-list TO_TELINDUS_RTR_nat0_outbound extended permit ip any any
access-list Backup_access_in extended permit tcp any host Backup_IP object-group DM_INLINE_TCP_4
pager lines 24
logging enable
logging timestamp
logging list linkdown message 622001
logging buffered warnings
logging trap informational
logging asdm debugging
logging mail linkdown
logging from-address xxxxxxxxxxxxxx
logging recipient-address xxxxxxxxxxxxxxx level informational
logging recipient-address xxxxxxxxxxxxxxxx level errors
logging host Inside xxxxxxxxxxxxxx
mtu Outside 1500
mtu Inside 1500
mtu TO_TELINDUS_RTR 1500
mtu Backup 1500
mtu management 1500
ip local pool dealer xxxxxxxxxx-xxxxxxxxxxxxx mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (Outside) 2 interface
global (Inside) 1 interface
global (TO_TELINDUS_RTR) 3 interface
global (Backup) 4 interface
nat (Outside) 2 access-list Outside_nat_outbound_1
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 2 0.0.0.0 0.0.0.0
nat (TO_TELINDUS_RTR) 0 access-list TO_TELINDUS_RTR_nat0_outbound
alias (Inside) xxxxxxxxxxxx Outside_IP 255.255.255.255
static (Inside,Outside) tcp interface smtp xxxxxxxxxxx smtp netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface pop3 xxxxxxxxxxxxx pop3 netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface 7777 xxxxxxxxxxxxxxxx 7777 netmask 255.255.255.255
static (Inside,Outside) tcp interface 5910 xxxxxxxxxxxxxxxxxxx 5910 netmask 255.255.255.255
static (Inside,Outside) tcp interface 5900 xxxxxxxxxxxxxxx 5900 netmask 255.255.255.255
static (Inside,Outside) tcp interface ftp xxxxxxxxxxxxxxxxx ftp netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface ftp-data xxxxxxxxxxxxxx ftp-data netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface https xxxxxxxxxxxxx https netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group TO_TELINDUS_RTR_access_in in interface TO_TELINDUS_RTR
access-group Backup_access_in in interface Backup
route TO_TELINDUS_RTR xxxxxxxxxxxxxx 255.255.255.0 xxxxxxx 1 track 1
route TO_TELINDUS_RTR xxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxx track 2
route TO_TELINDUS_RTR xxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxx 1 track 3
route Backup 0.0.0.0 0.0.0.0 192.168.48.1 2
route Inside xxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxx 1
route Inside xxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxx 1
route Inside xxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxx 1
route TO_TELINDUS_RTR xxxxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxx 1
route TO_TELINDUS_RTR xxxxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxx 1
route TO_TELINDUS_RTR xxxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxxxxxx 1
route TO_TELINDUS_RTR xxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record Telindus_Test
webvpn
url-list value xxxxxxxxxxx_Internal
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value xxxxx_Internal
svc ask enable default webvpn
dynamic-access-policy-record xxxxx_accept_policy
webvpn
url-list value xxxxx_Internal
svc ask enable default webvpn
dynamic-access-policy-record xxxxx_deny_policy
action terminate
aaa-server xxxxx_AD protocol nt
aaa-server xxxxx_AD (Inside) host svr-mail4
nt-auth-domain-controller xxxxxxxxxxxxxxxx
aaa-server xxxxx_LDAP protocol ldap
aaa-server xxxxx_LDAP (Inside) host xxxxxxxxxxxxxxxx.local
ldap-base-dn ou=xxxxxxxxxxx,dc=xxxxxxxxxxx,dc=local
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *
ldap-login-dn cn=xxxxxxxxxx,ou=xxxxxxxxxxxxxxxxx,ou=xxxxxxxxxxx,ou=xxxxxxxxxxx,dc=xxxxxxxxxxxxx,dc=local
server-type microsoft
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable 8443
http xxxxxxxxxxxxx 255.255.255.255 Inside
http xxxxxxxxxxxxxxx 255.255.255.255 Outside
http xxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
http xxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
http xxxxxxxxxxxxxxxx 255.255.255.255 Outside
http xxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
http xxxxxxxxxxxxxxxxxx 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Inside
http xxxxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.0 TO_TELINDUS_RTR
http xxxxxxxxxxxxxxxxxxxxxxx 255.255.255.0 TO_TELINDUS_RTR
snmp-server host TO_TELINDUS_RTR xxxxxxxxxxxxx poll community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho xxxxxxxxxxxxxxxxxx interface TO_TELINDUS_RTR
frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho xxxxxxxxxxxxxxx interface TO_TELINDUS_RTR
frequency 5
sla monitor schedule 2 life forever start-time now
sla monitor 3
type echo protocol ipIcmpEcho xxxxxxxxxxxx interface TO_TELINDUS_RTR
frequency 5
sla monitor schedule 3 life forever start-time now
sla monitor 4
type echo protocol ipIcmpEcho GoogleDNS interface Outside
sla monitor schedule 4 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer xxxxxxxxxxxxx
crypto map Outside_map 1 set transform-set ESP-AES-256-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa5510
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability
telnet timeout 5
ssh xxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
ssh xxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
ssh xxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
ssh xxxxxxxxxxxxxxxx 255.255.255.255 Outside
ssh xxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside
ssh xxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Inside
ssh xxxxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Inside
ssh 0.0.0.0 0.0.0.0 Inside
ssh xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside
dhcpd address xxxxxx-xxxxxxxxxxxxxxxxxxxxx management
dhcpd enable management
!
priority-queue Outside
priority-queue TO_TELINDUS_RTR
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 195.130.132.18 source Outside prefer
webvpn
port 9999
enable Outside
enable Inside
dtls port 9999
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy xxxxx-usr internal
group-policy xxxxx-usr attributes
dns-server value xxxxx.10.35
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-split-tun
group-policy xxxxxxxxxxxxxx_Policy internal
group-policy xxxxxxxxxxxxxx_Policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
customization value xxxxx_Customization
auto-signon allow ipxxxxxxxxxxxxxxxxxx 255.255.255.255 auth-type all
auto-signon allow ip xxxxxxxxxxxxxx 255.255.255.255 auth-type all
auto-signon allow ip xxxxxxxxxxxxxxxxx 255.255.255.255 auth-type all
auto-signon allow ip xxxxxxxxxxxxxxxxxxxxx 255.255.255.255 auth-type all
tunnel-group xxxxxxxxxxxxxxxxx type remote-access
tunnel-group xxxxxxxxxxxxxxxxxxxx general-attributes
address-pool dealer
default-group-policy xxxxxxxxxxxxxxxxxx
tunnel-group xxxxxxxxxxxxxxxxxxx ipsec-attributes
pre-shared-key *
tunnel-group xxxxxxxxxxxxxx type remote-access
tunnel-group xxxxxxxxxxxxxx general-attributes
authentication-server-group xxxxx_LDAP
default-group-policy xxxxxxxxxxxxxx_Policy
tunnel-group xxxxxxxxxxxxxx webvpn-attributes
customization xxxxxxxxxxxxxxxx_Customization
group-url xxxxxxxxxxxxxxxxxx enable
group-url xxxxxxxxxxxxxxxxxxx enable
group-url xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx enable
tunnel-group Telindus type remote-access
tunnel-group Telindus general-attributes
default-group-policy xxxxxxxxxxxxxx_Policy
tunnel-group Telindus webvpn-attributes
customization xxxxx_Customization
group-url xxxxxxxxxxxxxxxxxxxxx/telindus enable
group-url xxxxxxxxxxxxxxxxxxx/telindus enable
tunnel-group xxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxxxxxxxx ipsec-attributes
pre-shared-key *
!
class-map global-voice-class
match access-list global_mpc
class-map type inspect http match-all asdm_medium_security_methods
match not request method post
match not request method head
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
class-map type regex match-any URL_expressions
match regex yahoomail
match regex _default_yahoo-messenger
match regex hotmail
match regex Gmail
class-map Inside-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http xxxxx_url_inspection
parameters
protocol-violation action drop-connection
match request uri regex class URL_expressions
log
policy-map global_policy
description VOICE
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
class global-voice-class
priority
policy-map type inspect im Messenger_Inspection
parameters
match protocol msn-im yahoo-im
drop-connection log
!
service-policy global_policy global
smtp-server xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
12-15-2011 07:00 AM
Hi,
1) can you try :
nat(inside) 4 0.0.0.0 0.0.0.0
2)
default route tracking enabled on Outside. where is it ?
3) why did you do this ?
global (Inside) 1 interface
Regards.
Alain
12-15-2011 07:21 AM
1) This is what de console says :
Result of the command: "nat (inside) 4 0.0.0.0 0.0.0.0"
Duplicate NAT entry
2)
)
3) not sure, possibly something i didn't clean up after trying to do dns doctoring on a PAT interface ?
Can I remove that command safely ?
thx
Ward
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: