Support Engineer
asked on
ASA 5510 Configuration Question -
Overview:
We are trying to implement dual ISP on an ASA 5510 running 8.2(5)55 in an active/standby capacity. The primary goal is to protect the MS Exchange environment for inbound and outbound mail and protect user access to the internet.
For mail traffic to EX 1 and EX2:
Currently inbound and outbound traffic on the AT&T (outside) connection works as designed doing a 1:1 NAT to each of the EX servers.
Currently inbound traffic on the Verizon (backup4G) connection works as designed doing a 1:1 NAT to each of the EX servers.
Currently outbound traffic from the EX servers going to an outside host that is routed out the backup4G connection does not seem to work and looks like it is getting double NAT’ed. (Packet Tracer Below)
EC1-ASA5510# packet-tracer input inside tcp 10.10.1.47 10025 66.42.159.222 25
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 66.42.159.222 255.255.255.255 backup4G
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,backup4G) Verizon_MX4_EX2 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 backup4G any
static translation to Verizon_MX4_EX2
translate_hits = 5, untranslate_hits = 2
Additional Information:
Static translate Inside-NPEXC02/0 to Verizon_MX4_EX2/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) ExchangeSMTP02 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 outside any
static translation to ExchangeSMTP02
translate_hits = 44333, untranslate_hits = 198155
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 192272265, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup4G
output-status: up
output-line-status: up
Action: allow
For user traffic going to the Internet:
Currently outbound and inbound traffic using the AT&T (outside) connection is working as designed.
When a user is trying to access a resource that routes out the Verizon (backup4G) connection it gets an error. Packet Tracer output below.
EC1-ASA5510# packet-tracer input inside tcp 10.10.100.10 10080 66.42.159.222 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 66.42.159.222 255.255.255.255 backup4G
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 101 access-list inside_nat_outbound_1
match ip inside any backup4G any
dynamic translation to pool 101 (No matching global)
translate_hits = 8, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup4G
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
EC1-ASA5510#
It seems to match the right egress interface but tries to apply the 101 pool (outside) instead of the 102 pool (backup4G) for the dynamic policy NAT (Global).
Thanks,
We are trying to implement dual ISP on an ASA 5510 running 8.2(5)55 in an active/standby capacity. The primary goal is to protect the MS Exchange environment for inbound and outbound mail and protect user access to the internet.
For mail traffic to EX 1 and EX2:
Currently inbound and outbound traffic on the AT&T (outside) connection works as designed doing a 1:1 NAT to each of the EX servers.
Currently inbound traffic on the Verizon (backup4G) connection works as designed doing a 1:1 NAT to each of the EX servers.
Currently outbound traffic from the EX servers going to an outside host that is routed out the backup4G connection does not seem to work and looks like it is getting double NAT’ed. (Packet Tracer Below)
EC1-ASA5510# packet-tracer input inside tcp 10.10.1.47 10025 66.42.159.222 25
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 66.42.159.222 255.255.255.255 backup4G
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,backup4G) Verizon_MX4_EX2 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 backup4G any
static translation to Verizon_MX4_EX2
translate_hits = 5, untranslate_hits = 2
Additional Information:
Static translate Inside-NPEXC02/0 to Verizon_MX4_EX2/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) ExchangeSMTP02 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 outside any
static translation to ExchangeSMTP02
translate_hits = 44333, untranslate_hits = 198155
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 192272265, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup4G
output-status: up
output-line-status: up
Action: allow
For user traffic going to the Internet:
Currently outbound and inbound traffic using the AT&T (outside) connection is working as designed.
When a user is trying to access a resource that routes out the Verizon (backup4G) connection it gets an error. Packet Tracer output below.
EC1-ASA5510# packet-tracer input inside tcp 10.10.100.10 10080 66.42.159.222 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 66.42.159.222 255.255.255.255 backup4G
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 101 access-list inside_nat_outbound_1
match ip inside any backup4G any
dynamic translation to pool 101 (No matching global)
translate_hits = 8, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup4G
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
EC1-ASA5510#
It seems to match the right egress interface but tries to apply the 101 pool (outside) instead of the 102 pool (backup4G) for the dynamic policy NAT (Global).
Thanks,
ASKER
We are troubleshooting 2 issues here:
What we are trying to accomplish is internet diversity for failover (mainly for email). Currently we have 1:1 NATs for our exchange servers going in and out of AT&T (outside) interface. What we are trying to accomplish is in the event that AT&T goes down our backup MX records will then point to the Verizon interface (backup4G) and the servers would also use the Verizon connection to deliver outbound mail. We are also tracking the default route for reachability and have a backup route set to use the backup4G gateway with a higher metric (250).
There is also a NAT rule for the backup interface that matches the rule on the outside interface but using Verizon public IP addresses in lieu of AT&T addresses. My assumption would be that if the route matched on the backup interface it would use the backup NAT rule and if the route matched on the outside interface it would use the outside NAT rule.
What I am seeing is that it initially matches on the backup4G NAT rule and then subsequently on the outside NAT rule but using the backup4G interface.(?)
Packet Tracer:
EC1-ASA5510# packet-tracer input inside tcp 10.10.1.47 10025 66.42.159.222 25
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 66.42.159.222 255.255.255.255 backup4G
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,backup4G) Verizon_MX4_EX2 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 backup4G any
static translation to Verizon_MX4_EX2
translate_hits = 5, untranslate_hits = 2
Additional Information:
Static translate Inside-NPEXC02/0 to Verizon_MX4_EX2/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) ExchangeSMTP02 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 outside any
static translation to ExchangeSMTP02
translate_hits = 44333, untranslate_hits = 198155
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 192272265, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup4G
output-status: up
output-line-status: up
Action: allow
We are also troubleshooting why the dynamic NAT/PAT rule for the backup4G interface is not working. It appears to match on the correct rule but not the correct ACL (101 instead of 102)
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 101 access-list inside_nat_outbound_1
match ip inside any backup4G any
dynamic translation to pool 101 (No matching global)
translate_hits = 8, untranslate_hits = 0
Additional Information:
EC1-ASA5510.txt
What we are trying to accomplish is internet diversity for failover (mainly for email). Currently we have 1:1 NATs for our exchange servers going in and out of AT&T (outside) interface. What we are trying to accomplish is in the event that AT&T goes down our backup MX records will then point to the Verizon interface (backup4G) and the servers would also use the Verizon connection to deliver outbound mail. We are also tracking the default route for reachability and have a backup route set to use the backup4G gateway with a higher metric (250).
There is also a NAT rule for the backup interface that matches the rule on the outside interface but using Verizon public IP addresses in lieu of AT&T addresses. My assumption would be that if the route matched on the backup interface it would use the backup NAT rule and if the route matched on the outside interface it would use the outside NAT rule.
What I am seeing is that it initially matches on the backup4G NAT rule and then subsequently on the outside NAT rule but using the backup4G interface.(?)
Packet Tracer:
EC1-ASA5510# packet-tracer input inside tcp 10.10.1.47 10025 66.42.159.222 25
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 66.42.159.222 255.255.255.255 backup4G
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,backup4G) Verizon_MX4_EX2 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 backup4G any
static translation to Verizon_MX4_EX2
translate_hits = 5, untranslate_hits = 2
Additional Information:
Static translate Inside-NPEXC02/0 to Verizon_MX4_EX2/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) ExchangeSMTP02 Inside-NPEXC02 netmask 255.255.255.255
match ip inside host Inside-NPEXC02 outside any
static translation to ExchangeSMTP02
translate_hits = 44333, untranslate_hits = 198155
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 192272265, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup4G
output-status: up
output-line-status: up
Action: allow
We are also troubleshooting why the dynamic NAT/PAT rule for the backup4G interface is not working. It appears to match on the correct rule but not the correct ACL (101 instead of 102)
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 101 access-list inside_nat_outbound_1
match ip inside any backup4G any
dynamic translation to pool 101 (No matching global)
translate_hits = 8, untranslate_hits = 0
Additional Information:
EC1-ASA5510.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Then you have a NAT rule that only NATs traffic from the internal SMTP server.
So a source IP address different from the SMTP server will not match the NAT rule, and so will not be allowed to go out the backup interface.