Cisco Firewall :: ASA 5505 Split Traffic On Dual ISPs
Jul 31, 2012
I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.
I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
ASA 5510, SSM-10 1GB RAM ASA version 8.4(1) ASDM Version 6.4(3) Context Mode Single FW Mode Routed License Security Plus
What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.
I want to link ASA 5505 to two ISP's for backup purpsose. I can see this configuration example here url...
Question - does the ASA 5505 do load balancing as well for both connections - is there an example somewhere? (I do not want to buy two ASA 5505's!) which seems the only way I could find configuration details for!
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
I am in the process of configuring a ASA 5510 to replace an older PIX. This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces. I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs. The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details. Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited). For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network. It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks.. Is there a way to get them both to operate ?
Network layout looks like this (IP ranges altered):
DMZ 22.214.171.124.0 Class C INTERNAL 10.0.0.0 Class C Outside 126.96.36.199 Class C Outside2 188.8.131.52 Class C
After applying it I could access the public IP (184.108.40.206) from the internal network, but I could no longer access the DMZ IP (220.127.116.11) from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.
Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.
I am setting up an ASA550 ver 7.2(3) - does this need upgrading?I have my ISP interfaces setup as primary and backup I have a static route pointing out:route primary 0.0.0.0 0.0.0.0 18.104.22.168 1 Question:Do I put the next static route to be route secondary 0.0.0.0 0.0.0.0 22.214.171.124 254 Will this set a high metric on the secondary route that will only take effect if the primary route is down? I assume I will need to have 2 sets of NAT rules to accommodate the dual ISP's
We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN . ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.Here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.
My client is transitioning to a new ISP and want to migrate there web servers in stages. therefore they would like to keep some servers running on the old ISP and some servers use the new ISP.
I have set this up in a lab and keep running into routning issues (I am using 5510 for the lab as I do not have a 5505 available). I know that ASA's don't support PBR. Is there any way or trick to get this to work on the ASA?
I have a feeling this is not possible and we would need to get another ASA or a Router to get this to work.
I need to configure my asa as follows: Two active ISP´s, one(ISP1) for outbound traffic (normal internet traffic) and the other one for inbound traffic(ISP2), http to a web server in the inside network. I have two default routes, one pointing to ISP 1 with metric 1 and the other to ISP2 with metric 2. I perform dynamic nat to ISP1 interface with hosts in the inside network and static nat to ISP2 interface with web server.
I would like to configure a Cisco ASA 5505 with Dual ISP (ISP 1 and ISP2) and two networks (network 1 and network 2). My customer need that clients in the network 1 connect to Internet with ISP1 and clients in the network 2 connect with ISP2. If a failure occurs in ISP1 (just an example) the network 1 clients connect with ISP2.
Currentry all traffic is passing thru Outside2 and it's correct, also s2s and ra VPN is also running on Outside2 ?My current case is to use Outside1 for webvpn services only. I can't use Outside2 becouse on 443 port other services are running, also I cant change webvpn port to other.
How can I match packets incoming to interface Internet1 from Interner side nad route them back thru Internet1 interface.
IPSLA is not a good solution becouse I need to have both WAN links used Now in routing table I have only onre record
S* 0.0.0.0 0.0.0.0 [20/0] via x.x.x.x, INTERNET2
for link with lower metric, but after some problems with provider for link Internet2 routing has changed for Internet1 and didn't change it back after resolving problem? how to create it for all traffic incoming for Internet1 interface from outside?
I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 126.96.36.199 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 188.8.131.52, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]
I have a 5505 configured with a active/standby dual wan setup using the sla tracked connection settings. Is there a way to configure the ASA to stay on the backup connection after activating? We had a situation where the main T1 was bouncing, so the backup connection was being activated and deactivated very often. The problem is that there is an app being used that does not allow users to reconnect to dropped connections immediately, so every time the asa switches wan connections it causes a significant disruption.I should note that I already set monitor options frequency to 240 seconds. I could set it higher, but then we have a longer delay when the main connection dies.
I have a small office with about 20 people. I currently have a T1 line which feeds a Cisco ASA 5505. I would like to replace the T1 line with two (2) ADSL lines. I need a dual WAN switch/load balancer. I researched a bit and found that Cisco RV042 will probably work for me even though I don't need another VPN and would have to disable it.
My question: Is there anothe device from Cisco or others which will give me the dual WAN and load balancing but not the VPN piece. My assumption is that it would be a less expensive device if such an animal exists.
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
I have a Cisco 2911 Router and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). [code]My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy- route internet sends me all the way.
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP
I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1. I am having an issue where the users on the network are not able to use the internet when using the following config:
! interface GigabitEthernet0/0.10 description Data encapsulation dot1Q 50
I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work. Error message from the Syslog deny tcp src 192.168.50.5/1825 dst 184.108.40.206/21 by access-group "dmz_access_in".I try a couple of ways to fix it but no luck.A partial config of my ASA 5505. [code]
We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
ASA Version 8.4(1) ! hostname xxxxxx enable password xxxxxx encrypted
I have an ASA 5505 configured using easy VPN connecting to our corporate ASA. The ASA5505 is configured for network extension mode with a routable subnet. The clients that hang off the ASA 5505 are DHCP and get their IP address and DNS settings from the ASA 5505. I have a split tunnel setup, so only certain networks go over the tunnel back to corporate. Local Internet browsing goes out the ASA 5505 to the ISP.
My questions is how to setup split-dns. i would like to have my clients query the ISP's DNS servers for Internet based websites and when they need to access the exchange server the query goes to our corporate DNS servers. I see a setting for DNS names under the group policy on the corporate ASA, but how does the client know which DNS server to use?
The clients receive a primary DNS server (ISP) and a secondary (Corporate DNS) from the ASA5505.
We have 110mbps internet service. When we have the 5505 behind the cable modem, our speed drops to 55mbps or so. If we remove the 5505, we see the full 100mbps. I assume the 5505 can handle the speed; if so, what other things should I be looking at?As an aside, we used to have 50mbps wich worked fine, then the ISP upgraded to 60mbps and the through put dropped to 30mbps (It always seems to be half)