Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
4
Replies

backup isp requires changed dynamic rule

kingalbert2
Level 1
Level 1

‎12-15-2011 04:03 AM - edited ‎03-04-2019 02:38 PM

Hello,

I have one ASA 5510, a primary ISP (cable, the single public IP lives on the ASA), and a backup ISP (ADSL, separate router that hosts its single public IP).

I use IP tracking to detect link down on the primary. When I pull the plug on the cable modem and go to "Route monitoring", I can see the ASA's default route is now the backup ISP default route. That conforms with http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#new

Pings to 8.8.8.8 fail however, and when I do a packet trace the ASA complains about the dynamic nat rule that still points to the primary ISP's interface.

Only when I change the existing dynamic NAT rule (on my inside interface) to use the backup ISP's pool (which is a single 192.168.x.y address) , does 8.8.8.8 reply to my pings.

So it kinda works but it's not full auto .

What am I doing wrong ?  I can't add a second dynamic nat rule on the same inside interface, nor can I select 2 IP pools in a single dynamic nat rule.

thx

Ward

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎12-15-2011 04:09 AM

Hi,

I can't add a second dynamic nat rule on the same inside interface, nor can I select 2 IP pools in a single dynamic nat

rule.

Is it a question or a fact ?  How is the ASA connected to the router?

Post your topology and config.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

kingalbert2
Level 1
Level 1
In response to cadet alain

‎12-15-2011 05:52 AM

No it is a fact : I can't.

My interfaces :

The primary ISP :

     connected on if0

     IP address is "Outside_IP"

     cable modem plugged directly into if0, frozen dhcp address, default route tracking enabled.

Backup ISP

     connected to if3

     IP address is "Backup_IP"

     ISP's router is connected directly to if3, router hosts fixed IP address.

Inside

     connected to if1

Telindus router (of no concern here, at least I think not)

     connected to if2

thx

: Saved

:

ASA Version 8.0(4)

!

hostname asa5510

domain-name xxxx.local

!

interface Ethernet0/0

mac-address 0003.e300.6f2d

nameif Outside

security-level 0

dhcp client route track 4

ip address dhcp setroute

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address xxxxxxxxxxxxx 255.255.255.0

!

interface Ethernet0/2

nameif TO_TELINDUS_RTR

security-level 100

ip address xxxxxxxxxxxxx 255.255.255.0

!

interface Ethernet0/3

nameif Backup

security-level 0

ip address xxxxxxxxxxxxxx 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address xxxxxxxxxxxxxx 255.255.255.0

management-only

!

regex yahoomail "[Yy][Aa][Hh][Oo][Oo][Mm][Aa][Ii][Ll]"

regex Gmail "[Gg][Mm][Aa][Ii][Ll]"

regex hotmail "[Hh][Oo][Tt][Mm][Aa][Ii][Ll]"

!

time-range weekdagen

periodic weekdays 7:00 to 18:59

!

time-range werkuren

periodic daily 8:00 to 12:00

periodic daily 13:00 to 18:00

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup Outside

dns domain-lookup Inside

dns domain-lookup management

dns server-group DefaultDNS

name-server xxxxxxxx

name-server xxxxxxxx

name-server xxxxxxxxxxx

name-server xxxxxxxxxxxxxx

domain-name xxxxxxxxxxx.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

access-list acl-split-tun extended permit ip object-group DM_INLINE_NETWORK_1 xxxxxxxxxxxxxx 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_3

access-list Outside_access_in extended permit tcp any host Outside_IP object-group DM_INLINE_TCP_1

access-list Outside_access_in extended permit ip xxxxxxxxxxxxxx 255.255.255.0 any

access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any eq smtp

access-list Inside_access_in extended deny tcp any any eq smtp

access-list Inside_access_in extended permit tcp host xxxxxx   object-group socialnetworks object-group DM_INLINE_TCP_3

access-list Inside_access_in remark facebook, twitter, netlog

access-list Inside_access_in extended deny tcp any object-group socialnetworks object-group DM_INLINE_TCP_2 time-range werkuren

access-list Inside_access_in extended deny ip any object-group DM_INLINE_NETWORK_5

access-list Inside_access_in extended deny ip object-group xxxxxxxxxxxxxx any

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended permit icmp any any

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8

access-list TO_TELINDUS_RTR_access_in extended permit ip any any log notifications

access-list global_mpc extended permit object-group DM_INLINE_SERVICE_1 Voip_Centrale-network 255.255.255.0 object-group DM_INLINE_NETWORK_9

access-list Outside_nat_outbound_1 extended permit ip xxxxxxxxxx 255.255.255.0 object-group DM_INLINE_NETWORK_10

access-list TO_TELINDUS_RTR_nat0_outbound extended permit ip any any

access-list Backup_access_in extended permit tcp any host Backup_IP object-group DM_INLINE_TCP_4

pager lines 24

logging enable

logging timestamp

logging list linkdown message 622001

logging buffered warnings

logging trap informational

logging asdm debugging

logging mail linkdown

logging from-address xxxxxxxxxxxxxx

logging recipient-address xxxxxxxxxxxxxxx level informational

logging recipient-address xxxxxxxxxxxxxxxx level errors

logging host Inside xxxxxxxxxxxxxx

mtu Outside 1500

mtu Inside 1500

mtu TO_TELINDUS_RTR 1500

mtu Backup 1500

mtu management 1500

ip local pool dealer xxxxxxxxxx-xxxxxxxxxxxxx mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (Outside) 2 interface

global (Inside) 1 interface

global (TO_TELINDUS_RTR) 3 interface

global (Backup) 4 interface

nat (Outside) 2 access-list Outside_nat_outbound_1

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 2 0.0.0.0 0.0.0.0

nat (TO_TELINDUS_RTR) 0 access-list TO_TELINDUS_RTR_nat0_outbound

alias (Inside) xxxxxxxxxxxx Outside_IP 255.255.255.255

static (Inside,Outside) tcp interface smtp xxxxxxxxxxx smtp netmask 255.255.255.255  dns

static (Inside,Outside) tcp interface pop3 xxxxxxxxxxxxx pop3 netmask 255.255.255.255  dns

static (Inside,Outside) tcp interface 7777 xxxxxxxxxxxxxxxx 7777 netmask 255.255.255.255

static (Inside,Outside) tcp interface 5910 xxxxxxxxxxxxxxxxxxx 5910 netmask 255.255.255.255

static (Inside,Outside) tcp interface 5900 xxxxxxxxxxxxxxx 5900 netmask 255.255.255.255

static (Inside,Outside) tcp interface ftp xxxxxxxxxxxxxxxxx ftp netmask 255.255.255.255  dns

static (Inside,Outside) tcp interface ftp-data xxxxxxxxxxxxxx ftp-data netmask 255.255.255.255  dns

static (Inside,Outside) tcp interface https xxxxxxxxxxxxx https netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

access-group TO_TELINDUS_RTR_access_in in interface TO_TELINDUS_RTR

access-group Backup_access_in in interface Backup

route TO_TELINDUS_RTR xxxxxxxxxxxxxx 255.255.255.0 xxxxxxx 1 track 1

route TO_TELINDUS_RTR xxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxx track 2

route TO_TELINDUS_RTR xxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxx 1 track 3

route Backup 0.0.0.0 0.0.0.0 192.168.48.1 2

route Inside xxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxx 1

route Inside xxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxx 1

route Inside xxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxx 1

route TO_TELINDUS_RTR xxxxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxx 1

route TO_TELINDUS_RTR xxxxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxx 1

route TO_TELINDUS_RTR xxxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxxxxxx 1

route TO_TELINDUS_RTR xxxxxxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxxxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record Telindus_Test

webvpn

  url-list value xxxxxxxxxxx_Internal

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value xxxxx_Internal

  svc ask enable default webvpn

dynamic-access-policy-record xxxxx_accept_policy

webvpn

  url-list value xxxxx_Internal

  svc ask enable default webvpn

dynamic-access-policy-record xxxxx_deny_policy

action terminate

aaa-server xxxxx_AD protocol nt

aaa-server xxxxx_AD (Inside) host svr-mail4

nt-auth-domain-controller xxxxxxxxxxxxxxxx

aaa-server xxxxx_LDAP protocol ldap

aaa-server xxxxx_LDAP (Inside) host xxxxxxxxxxxxxxxx.local

ldap-base-dn ou=xxxxxxxxxxx,dc=xxxxxxxxxxx,dc=local

ldap-scope subtree

ldap-naming-attribute samaccountname

ldap-login-password *

ldap-login-dn cn=xxxxxxxxxx,ou=xxxxxxxxxxxxxxxxx,ou=xxxxxxxxxxx,ou=xxxxxxxxxxx,dc=xxxxxxxxxxxxx,dc=local

server-type microsoft

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable 8443

http xxxxxxxxxxxxx 255.255.255.255 Inside

http xxxxxxxxxxxxxxx 255.255.255.255 Outside

http xxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

http xxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

http xxxxxxxxxxxxxxxx 255.255.255.255 Outside

http xxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

http xxxxxxxxxxxxxxxxxx 255.255.255.0 management

http 0.0.0.0 0.0.0.0 Inside

http xxxxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.0 TO_TELINDUS_RTR

http xxxxxxxxxxxxxxxxxxxxxxx 255.255.255.0 TO_TELINDUS_RTR

snmp-server host TO_TELINDUS_RTR xxxxxxxxxxxxx poll community public

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho xxxxxxxxxxxxxxxxxx interface TO_TELINDUS_RTR

frequency 5

sla monitor schedule 1 life forever start-time now

sla monitor 2

type echo protocol ipIcmpEcho xxxxxxxxxxxxxxx interface TO_TELINDUS_RTR

frequency 5

sla monitor schedule 2 life forever start-time now

sla monitor 3

type echo protocol ipIcmpEcho xxxxxxxxxxxx interface TO_TELINDUS_RTR

frequency 5

sla monitor schedule 3 life forever start-time now

sla monitor 4

type echo protocol ipIcmpEcho GoogleDNS interface Outside

sla monitor schedule 4 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs group1

crypto map Outside_map 1 set peer xxxxxxxxxxxxx

crypto map Outside_map 1 set transform-set ESP-AES-256-SHA

crypto map Outside_map 1 set security-association lifetime seconds 28800

crypto map Outside_map 1 set security-association lifetime kilobytes 4608000

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=asa5510

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate xxxxxxxxx

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  quit

crypto isakmp enable Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 rtr 3 reachability

!

track 4 rtr 4 reachability

telnet timeout 5

ssh xxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

ssh xxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

ssh xxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

ssh xxxxxxxxxxxxxxxx 255.255.255.255 Outside

ssh xxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Outside

ssh xxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Inside

ssh xxxxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.255 Inside

ssh 0.0.0.0 0.0.0.0 Inside

ssh xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 255.255.255.0 management

ssh timeout 5

console timeout 0

dhcp-client client-id interface Outside

dhcpd address xxxxxx-xxxxxxxxxxxxxxxxxxxxx management

dhcpd enable management

!

priority-queue Outside

priority-queue TO_TELINDUS_RTR

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 195.130.132.18 source Outside prefer

webvpn

port 9999

enable Outside

enable Inside

dtls port 9999

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc

group-policy xxxxx-usr internal

group-policy xxxxx-usr attributes

dns-server value xxxxx.10.35

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acl-split-tun

group-policy xxxxxxxxxxxxxx_Policy internal

group-policy xxxxxxxxxxxxxx_Policy attributes

vpn-tunnel-protocol svc webvpn

webvpn

  customization value xxxxx_Customization

  auto-signon allow ipxxxxxxxxxxxxxxxxxx 255.255.255.255 auth-type all

  auto-signon allow ip xxxxxxxxxxxxxx 255.255.255.255 auth-type all

  auto-signon allow ip xxxxxxxxxxxxxxxxx 255.255.255.255 auth-type all

  auto-signon allow ip xxxxxxxxxxxxxxxxxxxxx 255.255.255.255 auth-type all

tunnel-group xxxxxxxxxxxxxxxxx type remote-access

tunnel-group xxxxxxxxxxxxxxxxxxxx general-attributes

address-pool dealer

default-group-policy xxxxxxxxxxxxxxxxxx

tunnel-group xxxxxxxxxxxxxxxxxxx ipsec-attributes

pre-shared-key *

tunnel-group xxxxxxxxxxxxxx type remote-access

tunnel-group xxxxxxxxxxxxxx general-attributes

authentication-server-group xxxxx_LDAP

default-group-policy xxxxxxxxxxxxxx_Policy

tunnel-group xxxxxxxxxxxxxx webvpn-attributes

customization xxxxxxxxxxxxxxxx_Customization

group-url xxxxxxxxxxxxxxxxxx enable

group-url xxxxxxxxxxxxxxxxxxx enable

group-url xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx enable

tunnel-group Telindus type remote-access

tunnel-group Telindus general-attributes

default-group-policy xxxxxxxxxxxxxx_Policy

tunnel-group Telindus webvpn-attributes

customization xxxxx_Customization

group-url xxxxxxxxxxxxxxxxxxxxx/telindus enable

group-url xxxxxxxxxxxxxxxxxxx/telindus enable

tunnel-group xxxxxxxxxxxx type ipsec-l2l

tunnel-group xxxxxxxxxxxxxxxxxxx ipsec-attributes

pre-shared-key *

!

class-map global-voice-class

match access-list global_mpc

class-map type inspect http match-all asdm_medium_security_methods

match not request method post

match not request method head

match not request method get

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all asdm_high_security_methods

match not request method head

match not request method get

class-map type regex match-any URL_expressions

match regex yahoomail

match regex _default_yahoo-messenger

match regex hotmail

match regex Gmail

class-map Inside-class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect http xxxxx_url_inspection

parameters

  protocol-violation action drop-connection

match request uri regex class URL_expressions

  log

policy-map global_policy

description VOICE

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

class global-voice-class

  priority

policy-map type inspect im Messenger_Inspection

parameters

match protocol msn-im yahoo-im

  drop-connection log

!

service-policy global_policy global

smtp-server xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to kingalbert2

‎12-15-2011 07:00 AM

Hi,

1) can you try :

nat(inside) 4 0.0.0.0 0.0.0.0

2)

default route tracking enabled on Outside.  where is it ?

3) why did you do this ?

global (Inside) 1 interface

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

kingalbert2
Level 1
Level 1
In response to cadet alain

‎12-15-2011 07:21 AM

1)  This is what de console says : 

Result of the command: "nat (inside) 4 0.0.0.0 0.0.0.0"

Duplicate NAT entry

2)

)

3) not sure, possibly something i didn't clean up after trying to do dns doctoring on a PAT interface ?
Can I remove that command safely ?

thx

Ward

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card