Cisco WAN :: ASA 5510 - NAT / Default Route To Two ISPs
Nov 14, 2011
I am having a strange requirement. actually I am not sure it is strange or not. I am having ASA5510 with 8.4 sw version. Currently one ISP is connected to it. It is working fine. We have some servers that are directly connected to internet using another ISP connection. These servers having public IP addresses configured on their LAN settings. I need to move these servers in to the DMZ zone.
When i connect it to the ASA's DMZ zone,servers will get internet through the first ISP that is already configured on ASA. But i need to NAT the DMZ servers with the IP address provided by the other ISP, which even not configured on ASA.
So what should i do? In short my requirement is
1) need to NAT the server with the IP address provided by another ISP
2) Also note that the default route is configured for the first ISP only in ASA
so Do i need to configure another default route? Do i need to make it with larger AD? So i do it will act as the secondary route only.
I need to make the ASA up and running for two ISP, and servers in the LAN should be able to NAT with the IPs of first ISP and ,the servers in the DMZ zone should be able to NAT with the public IP of the new ISP.
View 2 Replies
ADVERTISEMENT
Jun 24, 2011
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
View 1 Replies
View Related
Aug 12, 2012
I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
What I have is this:
Internet<----->ASA<-->router<-->4507(layer3)
| |
| |-Vlan1
[Code]......
View 1 Replies
View Related
Oct 30, 2011
Currently we have a T1 for data connected to a 1721 Router that is connected to an ASA 5510. We would like to add a FIOS line for dedicated online backup. Is it possible to connect the FIOS router to the ASA and route the IP from our backup server to use the FIOS line and everyone else continue to use the T1?
View 3 Replies
View Related
Oct 17, 2011
We have an issue with some NAT on an ASA 5510. Here is a simplified drawing of the ASA setup:So the issue is when we try to send traffic from 172.16.3.251 to 1.1.1.1 we got this message in the log:
Oct 18 2011 12:32:12: %ASA-3-305006: portmap translation creation failed for udp src inside
172.16.3.251 /37166 dst outside:1.1.1.1/23
It looks like there is an issue with NAT but maybe is cause of the DUAL ISP setup as packets are routed through the outside interface and not IPtelefoni_outisde?
View 13 Replies
View Related
Jan 5, 2013
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
View 1 Replies
View Related
Aug 25, 2011
What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.
View 1 Replies
View Related
Apr 11, 2013
I am in the process of configuring a ASA 5510 to replace an older PIX. This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces. I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs. The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details. Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited). For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network. It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks.. Is there a way to get them both to operate ?
Network layout looks like this (IP ranges altered):
DMZ 172.10.0.0.0 Class C
INTERNAL 10.0.0.0 Class C
Outside 1.2.3.0 Class C
Outside2 2.3.4.0 Class C
[code]....
After applying it I could access the public IP (1.2.3.50) from the internal network, but I could no longer access the DMZ IP (172.10.0.2) from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.
View 8 Replies
View Related
Apr 3, 2011
We have plans for multiple ISPs and need to pick the correct device/architecture for that. single site: 3 ethernet hand offs (1 From ATT Fiber/10Mb pipe via their managed router, another one from ATT via Copper T1 via a separate circuit & managed router and the 3rd/last from Cable Modem/Comcast)
1.WAN hand off from another ISP from I will use ASA 5510 (already have) to use all the above 4 as inputs and then use the internal interface of the ASA 5510 as the default gateway for all the employees to browse the internet etc. so that1. If one one or more of the ISP lines die, we continue to operate (albeit lower bandwidth)
2. Also, we take advantage of the added bandwidth (even though it may not be the arithmetic sum of all the above).
View 7 Replies
View Related
Jul 1, 2011
I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
ASA 5510, SSM-10 1GB RAM
ASA version 8.4(1)
ASDM Version 6.4(3)
Context Mode Single
FW Mode Routed
License Security Plus
View 5 Replies
View Related
Jul 1, 2012
I want to leak default internet route to CE VRF as common service.Since we having two ASBR, can I point next hop to PE itself instead of either of the ASBR?I tried to point NH to loopback of the PE itself but it failed.
View 6 Replies
View Related
Sep 3, 2011
I'm working on a practice lab and am having the following issue. I have a customer router connected to two different ISP routers. Each ISP router must advertise a default through BGP to the customer and one of the default routes must be preferred over the other. Given if the preferred route interface is shut down the other default route is inserted into the routing table and when the preferred default route interface it turned back on that path is used again. The catch is I cant alter the customer router only the the two ISP devices. I tried doing some route maps but I'm lost. I have deleted all my route maps and have posted the BGP portion of the ISP routers.
router bgp 300
no synchronization
bgp log-neighbor-changes
[Code]....
View 13 Replies
View Related
Jan 19, 2013
Looking through the SPROUTE course material they state on several occasions that an ABR will announce a default route in to a standard NSSA area, same as a stub area, because LSA5 external routes are not allowed.
View 8 Replies
View Related
Nov 14, 2011
Will ASA5510 support default route failover mechanism by giving two different AD value in the route outside command?
View 1 Replies
View Related
Feb 26, 2013
I bought a WRVS400N v2 to be used as an access point. Currently it is hooked up on my switch via a trunk port and is able to communicate with my gateway. Whenever I try to access an IP subnet other then the local IP address of the WRVS, I get a network unreachable error. To fix this for my local networks, I added the appropriate static route to cover my local LANs and that seems to work now. I tried to add route 0.0.0.0/0.0.0.0 using the web interface for internet access, but somehow it does not recognize this as a default route (quad zero!?). Does any know how I can set the default gateway in this router? Maybe, but hopefully not, I have to use the WAN port to create some kind of uplink and use one of the LAN ports to connect using the trunk port and route traffic for the clients over the WAN port .
View 1 Replies
View Related
Jun 5, 2013
I have an 877 router which has a DSL WAN interface. The DSL service at this site is unreliable, so the company have purchased a separate 3G router to be used as a backup. This device maintains 3G connectivity at all times and has a static IP on the internal subnet (for arguments sake let's say 10.0.0.253).
What I want to do with the Cisco router is to track the DSL interface and if it is up, install a default route pointing to it. If it is down, I want the default route to be the 3G router.
I am thinking the best way to do this is to set up a track and then set 2 default routes; one which is installed if the tracking is up, the other has a higher admin distance and points to the 3G router and thus should only be used if the track is down. For example:
track 10 interface Dialer0 ip routing
delay down 30 up 30
ip route 0.0.0.0 0.0.0.0 Dialer0 track 10
ip route 0.0.0.0 0.0.0.0 10.0.0.253 100
Is this likely to work or is there a better way to do it?
View 7 Replies
View Related
Feb 18, 2012
i have 2811 router can, i use the below image on it , i m thinking to run bgp with ISP to accept just default route.
View 1 Replies
View Related
Mar 18, 2012
Is it possible to send all traffic through site to site VPN using SRP521W (on the other site ASA) ? Lets say, traffic to Internet from branch through HQ - site to site VPN between branch and HQ. I've tried to set up destination crypto policy entry to 0.0.0.0 0.0.0.0 but it's not accepted. Firmware version is 1.01.26 (003)
View 4 Replies
View Related
Aug 16, 2012
In case customers buy IP transit(there is a BGP session between ISP and customer), they often ask for default route and for example prefixes from local internet-exchanges. What is the advantage to have default route + certain smaller(for example /17, /18 and /24) prefixes?
View 4 Replies
View Related
Nov 30, 2012
I have this topology: ( I use OSPF instead of EIGRP for routing between PE CE. The customer vrf name is cusA, they have 4 sites: CE from site 3 have 2 links to 2 PE ( one for backup). CE from site 3 has exist point to internet and how can i choice 1.1.1.2 is next-hop for default-route
View 2 Replies
View Related
May 8, 2011
My 2811 is connected with two ISP,s as below and have VPN with Central branch.I want to set DSL as primary and WiMax as secondary but problem is that routes learned via BGP get precedence over default route as they are specific one.I think i may need to put all static specific routes of central branch over DSL along defautl but I want any idea if my default route stay active and when it down then BGP neighborship can be establish (like ip sla tracking.)
View 3 Replies
View Related
Sep 5, 2012
I have a MPLS cloud in our data center. I want one network coming into our core router to have a different default route than the other networks coming in. I'm getting hits on the acl but the route isn't applied and goes to the default route that is configured in the router. I have other PBR for setting local-preferences and as-paths and they are working fine.
The router is a 7206 Version 12.4(11)T3
!
ip route 0.0.0.0 0.0.0.0 1.2.3.4
!
ip access-list extended 2nd_Default_Route
[Code].....
View 1 Replies
View Related
Jan 24, 2013
I have a Cisco 2960 ( WS-C2960-8TC-S) running 12.2(46)SE C2960-LANLITEK9-M image.I would like to set an ip route 0.0.0.0 0.0.0.0 87.101.156.97 but the current image does not allow.Will ip default-gateway 87.101.156.97 work or do I need ip routing ?The ISP has provided a /30 address and we are using an additional /29 for our network devices. I dont think this image can be upgraded. I need to forward routes directly out to ISP. [code]
View 5 Replies
View Related
Mar 18, 2013
We have a Nexus 7010 running version 6.1(2).
I'd like to use IP SLAs and object tracking to define static routes for specific source/destination traffic across some WAN links we have. I've done this in IOS and it's worked fantastically, but I've not found where/how to do this on the Nexus 7010 platform (or any Nexus platform) as of yet. I could have sworn that this was going to be introduced in the 6.x code? Below is an example of how we do this in the IOS world:
track 11 ip sla 1 reachability
delay down 15 up 15
ip sla 1
[Code]....
Esentially this gives us the option of using a "failover" default route. I've attached a basic diagram to explain what we are trying to do with IP SLAs and object checking. The tracking should be configured against an SLA that uses icmp and the static routes should be configured against the tracking.
View 3 Replies
View Related
Jul 27, 2010
IP SLA configuration fails over but cannot ping the 4.2.2.2 via Site B. Here is the output on Cisco 3750...
SW2#show runBuilding configuration...
Current configuration : 2901 bytes!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname SW2!boot-start-markerboot-end-marker!!!!no aaa
[Code].....
View 5 Replies
View Related
Aug 19, 2012
I'm working on a little OSPF setup in my lab and having a problem pinging out to the internet.I have a setup with (3) 3550's running ip routing. I'm configuring OSPF but I can't ping the internet from any L3 switch except the switch with the actual uplink to the internet.[code] From SW2 and SW3, I can ping SW1 on all IPs (192.168.1.90, 10.10.10.1, 10.10.10.5) but I can't ping 192.168.1.1 which is my gateway to the internet.
View 3 Replies
View Related
Feb 25, 2011
I have Cisco 7200vxr doing BGP with 2 directly connected ISP's over ethernet. I am receiving default routes only, and have added a higher weight to my routes learned from my primary ISP. below is my configuration (ip addresses changed of course)
router bgp 100 no synchronization bgp router-id x.x.x.x bgp log-neighbor-changes network 100.100.64.0 mask 255.255.254.0 network 100.100.71.0 network 100.100.78.0 mask 255.255.254.0
neighbor <ISP_A-IP> remote-as 200 neighbor <ISP_A-IP> weight 175 neighbor <ISP_B-IP> remote-as 300 neighbor <ISP_B-IP> weight 150 auto-summary
Advertising my rotues to the primary ISP is fine
7206vxr.rb#sh ip bgp neighbors <ISP_A-IP> advertised-routesBGP table version is 7, local router ID is x.x.x.xStatus codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> 100.100.64.0/23 0.0.0.0 0 32768 i*> 100.100.71.0 100.100.64.57 0 32768 i*> 100.100.78.0 0.0.0.0 0 32768 i
Total number of prefixes 3
However, advertisements to the secondary ISP inlcludes the defautl route learned from the primary 7206vxr.rb#sh ip bgp neighbors <ISP_B-IP> advertised-routes BGP table version is 7, local router ID is x.x.x.x Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 <ISP_A-IP> *> 100.100.64.0/23 0.0.0.0 0 32768 i*> 100.100.71.0 100.100.64.57 0 32768 i*> 100.100.78.0 0.0.0.0 0 32768 i
Should I not just only be advertising just the networks that i specified in my configuration?
View 3 Replies
View Related
Jun 20, 2012
I have a 3750 at a branch running EIGRP connected to two routers that both have configured:
access-list 1 deny 0.0.0.0
access-list 1 permit any
access-list 2 permit 0.0.0.0
access-list 2 deny any
router eigrp 1distribute-list 1 out FastEthernet0/0distribute-list 2 in FastEthernet0/0
Due to this recently applied config the switch become unreachable from the outside and cannot ping anything. Everything connected to it works fine. I was able to remote into it from a switch behind it and noticed that the 3750 has no default route in the routing table. I do see a default route in the eigrp topology table. How to make the switch learn a default route maintaining the existing configuration on the routers.
View 3 Replies
View Related
Jun 20, 2011
Since the ACE supports only static routing, when pointing a default route from the ACE what is your preferred method when using multiple 6500s with an ACE in each in a failover scenario to prevent just pointing at one 6500? Static route to an HSRP address? Multiple static routes on the ACE, etc?
View 2 Replies
View Related
Jan 21, 2013
2 ISP's connected to a 4507, both with seperate public IP blocks. Based on some source IP addresses on the LAN they would either use ISP-A or ISB-B's connection based on what I define.
View 3 Replies
View Related
Jan 3, 2013
How to configure my DIR-615 (Hardware Version E1 - Firmware Version 5.00NA) to:
1. Assign/Reserve IP address for 2 machines.
2. Route a web browser to a server on the first machine (port 80) as a default when another computer or smart-phone or device joins my open wireless network.
I am hoping to eliminate any changes to the IP address of the first two computers so that the server's IP address and port are static. I would also like anyone who joins the network to merely open their browser and be presented with the http interface from my server.
View 2 Replies
View Related
Oct 3, 2012
Site A has an ASA 5510 and a single internet connection.Site B has two internet connections (primary and backup). If Site B also has an ASA, I can configure Site A's ASA to deal with a failover at Site B (set peer 1.1.1.1 2.2.2.2). Does this work if Site B has an IOS router instead of an ASA? In other words will "set peer 1.1.1.1 2.2.2.2" on the ASA work when it's talking to IOS on the other end?
View 15 Replies
View Related
Sep 23, 2012
I just got my Cisco SG300 28, but I have some problems getting the routing to work. I get the vlans to get to the router, with the default route. But not getting them to talk with each other. I can ping the IPs from the cisco, but I am not getting traffic to go from vlan 1 to vlan 2. When I try to google, it say that it should do it automatically, and I found no setting for it. It looks like it not creating any route for the interfaces.
View 2 Replies
View Related
