Solved

ASA 5506x configured new interface.  Outbound works but no inbound traffic.

Posted on 2016-10-18
5
27 Views
Last Modified: 2016-10-31
I added a 2nd interface to ASA 5506x running 9.4 (2) 6 asdm 7.5 (2) 153 and configured it with a 2nd ISP.  I now have Outside and Outside2.

I configured dynamic PAT and am able to send traffic out and receive replies (tested ping, http).  This was done by setting a static route to use Outside2's gateway for test sites and then browsing/pinging from inside network.

However I have created several object NAT rules to forward RDP and HTTPS traffic.  I have used the packet tracer to verify all ACLs are correct and NAT would work.  However nothing works.  I have enabled PING (icmp permit host (my IP) Outside2) however I am unable to ping.  I have enabled HTTPS management access on Outside2 for my IP as well however I get nothing.

No pings, no ASDM, no inbound traffic.  Outbound traffic works fine.  

I have compared all configuration between the two outside interfaces but am unable to see anything which would cause this issue.  ACL's, NAT, interface settings are all the same.

Any ideas?
0
Comment
Question by:YMartin
  • 3
  • 2
5 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 41850420
Hi,
I'm afraid you are in the wrong direction ...
ASA is not a router and cannot manage two ISPs, unless you use the dual-isp failover functionality.
It will never act as load balancing and I'm afraid it will never let you publish natted public IPs on a data line different from the one managed by default gateway (e.g.: ip route 0.0.0.0 0.0.0.0 <RouterIP>)

The only thing that will work with static routes is the way you have configured it (e.g.: outbound for specific sites).

hope this helps
max
0
 
LVL 1

Author Comment

by:YMartin
ID: 41852307
Hi Max.  

Thank you.  

What I am trying to do is this:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
However the PAT rules must also survive the failover.  Are you saying this will never work with PAT involved?

I am seeing where the ASA does have some routing capability.

One other point worth mentioning is that we also have a T1 interface configured.  I am able to ping and reach ASDM through the T1 interface.
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 41857098
Hi,
the link you posted says right what I said:

Note: Load balancing does not occur in this example.
The DSL connection is idle as long as the leased line is active and the primary ISP gateway is reachable. However, if the connection to the primary ISP goes down, the security appliance changes the routing table to direct traffic to the DSL connection. Static route tracking is used to achieve this redundancy.

It is just a failover dual ISP, it does not work with both data lines up and running

max
0
 
LVL 1

Accepted Solution

by:
YMartin earned 0 total points
ID: 41860220
I was able to get this working.  There was a problem in the static route subnet mask causing the issue with responses to inbound traffic.  For some reason it was not affecting outbound.
0
 
LVL 1

Author Closing Comment

by:YMartin
ID: 41866610
resolved it on my own.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 94
anyconnect password change 2 33
Sonicwall TZ 205- Dropping Incoming E-mail as IP Spoof 13 96
Possible RST Flood on IF X0 Sonicwall 6 190
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now