Cisco VPN :: ASA 5510 With Dual ISPs Split Traffic Between VPNs And Internet
Jul 1, 2011
I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
ASA 5510, SSM-10 1GB RAM
ASA version 8.4(1)
ASDM Version 6.4(3)
Context Mode Single
FW Mode Routed
License Security Plus
What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.
I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.
I am in the process of configuring a ASA 5510 to replace an older PIX. This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces. I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs. The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details. Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited). For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network. It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks.. Is there a way to get them both to operate ?
Network layout looks like this (IP ranges altered):
DMZ 172.10.0.0.0 Class C INTERNAL 10.0.0.0 Class C Outside 1.2.3.0 Class C Outside2 2.3.4.0 Class C
[code]....
After applying it I could access the public IP (1.2.3.50) from the internal network, but I could no longer access the DMZ IP (172.10.0.2) from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.
I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 8.8.8.8, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]
I have a remote VPN with split tunnelling enabled. Currently, users connected to this VPN browses internet with his/her internet connection. Now, my requirement is that a roaming user connecting to the vpn must use our company's internet connection for his browsing purposes. How can I do this?Equipment we are using: ASA 5510
Is it possible to configure remote access (IPSEC client) to force all traffic through the tunnel (no split tunnel) yet still limit the internal hosts that can be accessed?
I have been asked to provide remote access (via ASA5510) with the following requirements:
- the client should have unrestricted internet access via the ASA (the source address will appear to be the outside interface of the ASA)
- the client should have access to only two internal hosts (192.168.10.10 and 192.168.44.10)
Is there a way to limit access to those two internal hosts, while still providing secured internet access? The only way I can see is to use an access list on another device (for example our core switch).
We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN . ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.Here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
I've been searching the net for days now trying to configure the ASA5505 for dual DHCP ISP use. All guides available assume you have one static.
After realizing that it required a Security Plus license to even configure 3 VLANs.
I can choose a backup interface in ASDM. It even says dual ISP enabled. Why cant there be a guide or simple configuration example or am I the only one looking for this kind of solution?
Customer has two ADSL internet connections and want to switch between them if they fail. No load balancing required.
ISP1 (Our IP = 30.100.150.50, gateway 30.100.150.8) ISP2 (Our IP = dynamic, gateway 20.100.150.9) - ADSL Our internal LAN IP range is 10.9.8.0/24
We want to configure the ASA 5505 to allow users via ISP2 for http traffic We then want to use ISP1 for strictly VPN and access to internal web resources (eg OWA) as we have public IP's there.
Our idea was to configure two gateways on the ASA (e.g. 10.9.8.5 via ISP2 and 10.9.8.6 via ISP1)
Then give the users gateway 10.9.8.5 for web browsing etc Is this configuration possible on the ASA 5505?
I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved. Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time. I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.
I want to link ASA 5505 to two ISP's for backup purpsose. I can see this configuration example here url...
Question - does the ASA 5505 do load balancing as well for both connections - is there an example somewhere? (I do not want to buy two ASA 5505's!) which seems the only way I could find configuration details for!
Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.
i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.
I am setting up an ASA550 ver 7.2(3) - does this need upgrading?I have my ISP interfaces setup as primary and backup I have a static route pointing out:route primary 0.0.0.0 0.0.0.0 1.2.3.4 1 Question:Do I put the next static route to be route secondary 0.0.0.0 0.0.0.0 3.4.5.6 254 Will this set a high metric on the secondary route that will only take effect if the primary route is down? I assume I will need to have 2 sets of NAT rules to accommodate the dual ISP's
I have been endlessly searching around online, and trying things on the firewall, and cant seem to find an answer to this problem. Its probably something really simple right under my nose! I am using an ASA 5510, which currently has a few seperate site-to-site VPN connections configured, which connect to other Cisco devices on clients networks.
I work from home, so also connect to our network using Remote Access VPN (any connect) to connect to the network at the data centre.
Just to be clear, here is my amazingly drawn network diagram:
[[my house]]-------------- <any connect VPN>------------[[ASA 5510 / Data centre]]-----------<site-to-site>-----------------[[Client network]]
The problem I am having, is that I cannot connect directly from my house to the client network, I need to RDP into some server in the data center, then from there I can see the Clients network. Is there routing to be setup somewhere? between VPN's? Ive looked into the routing options on the firewall and cant seem to find anything that works. I've searched for this and cant find answers, even some sources saying its impossible.
Currently we have a T1 for data connected to a 1721 Router that is connected to an ASA 5510. We would like to add a FIOS line for dedicated online backup. Is it possible to connect the FIOS router to the ASA and route the IP from our backup server to use the FIOS line and everyone else continue to use the T1?
I would like to create two site-to-site VPNs, one for data and one for VoIP, between the same sites. One end is an ASA 5510 and the other is a third party firewall. Is this possible if I use different sets of IP addresses for each tunnel?
I have a Cisco 2911 Router and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). [code]My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy- route internet sends me all the way.
We have an issue with some NAT on an ASA 5510. Here is a simplified drawing of the ASA setup:So the issue is when we try to send traffic from 172.16.3.251 to 1.1.1.1 we got this message in the log:
Oct 18 2011 12:32:12: %ASA-3-305006: portmap translation creation failed for udp src inside 172.16.3.251 /37166 dst outside:1.1.1.1/23
It looks like there is an issue with NAT but maybe is cause of the DUAL ISP setup as packets are routed through the outside interface and not IPtelefoni_outisde?
I am having a strange requirement. actually I am not sure it is strange or not. I am having ASA5510 with 8.4 sw version. Currently one ISP is connected to it. It is working fine. We have some servers that are directly connected to internet using another ISP connection. These servers having public IP addresses configured on their LAN settings. I need to move these servers in to the DMZ zone.
When i connect it to the ASA's DMZ zone,servers will get internet through the first ISP that is already configured on ASA. But i need to NAT the DMZ servers with the IP address provided by the other ISP, which even not configured on ASA.
So what should i do? In short my requirement is
1) need to NAT the server with the IP address provided by another ISP
2) Also note that the default route is configured for the first ISP only in ASA
so Do i need to configure another default route? Do i need to make it with larger AD? So i do it will act as the secondary route only.
I need to make the ASA up and running for two ISP, and servers in the LAN should be able to NAT with the IPs of first ISP and ,the servers in the DMZ zone should be able to NAT with the public IP of the new ISP.
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4. I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.ie. The default route goes via (newwan). Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working. I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location. It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection.
I have a 5510 with me. I want to terminate two Internet links on that. The primary Internet Leased Line to access my DC network using Site-to-Site VPN, and the secondary ADSL connection to access my other location network via VPN and and for web browsing. How can I achieve these goals.
I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1. I am having an issue where the users on the network are not able to use the internet when using the following config:
! interface GigabitEthernet0/0.10 description Data encapsulation dot1Q 50
We have plans for multiple ISPs and need to pick the correct device/architecture for that. single site: 3 ethernet hand offs (1 From ATT Fiber/10Mb pipe via their managed router, another one from ATT via Copper T1 via a separate circuit & managed router and the 3rd/last from Cable Modem/Comcast)
1.WAN hand off from another ISP from I will use ASA 5510 (already have) to use all the above 4 as inputs and then use the internal interface of the ASA 5510 as the default gateway for all the employees to browse the internet etc. so that1. If one one or more of the ISP lines die, we continue to operate (albeit lower bandwidth)
2. Also, we take advantage of the added bandwidth (even though it may not be the arithmetic sum of all the above).
I have a ASA 5510 configured for IPSec remote access VPN.It works nicely and can see the private LAN behind the ASA.My problem is that I have other networks connected to this ASA via site-to-site tunnels that I would like to open up to remote access.
I have added these networks to the split-tunneling ACL's and added NAT exemptions for those networks.This doesn't seem to work.
(ASA5510, ASA version 8.2(3)) I have set up split tunneling for one of our suppliers. When testing the setup the local computer with the VPN Client connects to the dedicated services it has access to behind the ASA, and the local computer can ping any computer on the local LAN and it can also access the internet and webpages on the local network
But the supplier complaints that he cannot run a local Navision session on the remote computer while connected to the VPN tunnel. I am not able to run a test that mirrors this.
I have followed the descriptions in document ID: 70917 in setting up the split tunneling, and as far as I can see, the setup works. But is there any restrictions laid on the local computer running the VPN Client in what services on the local network it can connect to?
I've set up a remote access group for Anyconnect on a 5510 running 8.4.5. Our company security policy prohibits split tunneling, but this particular location has no internal DNS (so I have to use a public DNS like google or something). How do I get this to work, I'm assuming I need to do a NAT exemption but I'm not sure how this would look, especially under 8.4.5.
We are using an ASA 5510 as our gateway to our ISP. All of our VOIP traffic is sent to an Internet SIP provider for our outbound calls. Our pipe to the Internet is 100Mbps metro ethernet. I am trying to find a way to provide QoS for this traffic so that I can reserve 20Mbps of the available 100Mbps pipe for VOIP traffic.From what I've been able to figure out so far I would use a combination of priority queues and traffic policing. However, it seems that this is nearly impossible to accomplish because I cannot control the remote device that my ASA connects to because it is the ISP device. I could police traffic on the inside interface of the ASA. However, lets say that a client on our network starts downloading from an Internet host and the downloaded traffic saturates my Internet connection. I could police this incoming (from the Internet) traffic on my outside interface of the firewall. This would drop the packets but the bandwidth would have already been used by the time it reaches my firewall.Would the fact that I'm policing incoming traffic on my outside interface cause the sender to throttle down their transmit rate because packets are being dropped? Would this achieve my goal of guaranteeing available bandwidth for my VOIP traffic by not allowing other traffic to saturate the link?Most documents I find regarding this topic describe providing QoS for VOIP traffic traversing a VPN connection in which case you could configure both end devices.
We have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this, It the computer is bypassing the CSC, it gets This was done when there's very low traffic on the LAN and CPU is low usage on the CSC. The CSC has been re-imaged also but still doesn't solve the problem.