Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transferring to Another ISP - ASA 5510

I am trying to figure out how to migrate from one ISP to another ISP using the ASA 5510.

The first phase is to get outbound traffic to use the new ISP (faster) followed later by changing all of the NAT/Access Rules to the new DNS IP addresses.  I am not looking for redundancy/failover. Just enough time to get all of the old DNS records changed to the new range and not have any down time.  This is still something common enough, yet I cannot find any directions on how to handle this.  Searching, I found directions for failover but that is really not what I am doing?. 

I will try and explain my setup. Please let me know what additional information you need to help.

Currently I have the existing ISP on Eth0/0 named Outside using NAT translation for our internal network. I connected the New ISP to Eth0/3 and named it Outside2. Assigned it the address provided per the information provided by the ISP(customer layer 3 device). The security level is 0 on both devices (I enabled Enable traffic between interfaces with the same security level). 

I then created a static route for Outside2 using the gateway IP address provided by the new ISP. I then added a dynamic NAT rule assigned to the Interface inside with the source Outside2-Network and pointed it to the Outside NAT. Last added Outside2 access-list for both in and out.


access-list Outside2_access_in line 1 extended permit ip any any
access-list outside2_access_out line 1 extended permit ip any any

 

To test I change the metric/distance on Outside and Outside2 so that Outside2 is first (1). This is when things break. I cannot get outside to any address. 

I am mostly doing this through the ASDM GUI as I am not a fluent in the command lines.

What am I missing to get this part working.

4 REPLIES

Hello, Did you make sure

Hello,

 

Did you make sure before the switchover you were able to ping the ISP gateway over the secondary link?

 

Do you have the NAT in place for the secondary link?

 

So you are looking for ISP failover instead of removing the first one and using the second one right?

I will be able to help on this directly, you can contact me at skype by julio.17.cr

Regards,

 

Jcarvaja

CCIE 42930

 

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Hello Julio,Yes, I am able to

Hello Julio,

Yes, I am able to ping the ISP gateway via the Outside2 interface. I am unable to ping any other address however.

I am not sure if I have the NAT setup correctly for the secondary link. I am guess that is the issue. I read up that I am suppose to have a dynamic NAT for the new interface (Outside2) but what I managed did not work.

Phase 1 is simply to get the Outside2 interface to work for outgoing traffic WITHOUT interfering with inbound traffic on the original Outside interface. I have not yet made all of the DNS or NAT entries for inbound traffic.

 

Thanks,

New Member

Is are the real-time logs

Here are the real-time logs when I ping the gateway address. It is successful.  However if I ping say the new ISPs DNS (75.75.75.75) it fails. Maybe the screenshot will help.

Really would like to get this corrected before office hours on Monday. I know this is probably something simple that I am missing,

 

Thanks,

New Member

Some additional information

Some additional information that may help find a solution to this problem.

 

access-list inside_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.248.0 192.168.0.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

 

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 c.c.c.c 255.255.255.248 ( This is the P2P IP for the Layer 3 Device. IP provided by new ISP)


access-group out_acc_in in interface outside
access-group Outside2_access_in in interface Outside2

route outside 0.0.0.0 0.0.0.0 a.a.a.a 1 (gateway address provided by existing ISP)
route Outside2 0.0.0.0 0.0.0.0 b.b.b.b 2 (gateway address provided by new ISP)
 

Gateway of last resort is b.b.b.b to network 0.0.0.0


C    d.d.d.d 255.255.255.248 is directly connected, Outside2 (Device IP (P2P) address provided by new ISP)
C    a.a.a.a 255.255.255.248 is directly connected, outside (Device IP (P2P) address provided by existing ISP)

S    192.168.8.0 255.255.254.0 [1/0] via a.a.a.a, outside  (gateway address provided by existing ISP)
S*   0.0.0.0 0.0.0.0 [1/0] via a.a.a.a,   outside  (gateway address provided by existing ISP) - Why only one Static Route when using Show Route?


 

129
Views
0
Helpful
4
Replies