How to Configure Cisco ASA 5512 for multiple public IP interfaces

Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
Thanks in advance for the suggestions/help

I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick

Similar Messages

  • How to configure CISCO ASA 5510 for internal remote desktop ?

    Helo,I have a client that want to install new ASA (5510) in their network.
    and then I did some experiment to implement it. the topology is like this :
    --------configuration---------
    2800 router :
    interface FastEthernet0/0
    ip address 172.16.1.1 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.11.3 255.255.255.0
    duplex auto
    speed auto
    ip route 192.168.12.0 255.255.255.0 172.16.1.2
    1841 router :
    interface FastEthernet0/0
    ip address 172.16.1.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 172.16.1.1
    ASA 5510 :
    : Saved
    : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
    ASA Version 8.2(1)
    hostname ciscoasa
    enable password **** encrypted
    passwd ***** encrypted
    names
    name 192.168.12.0 Branch
    dns-guard
    interface Ethernet0/0
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.11.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    management-only
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
    access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
    tcp-map mssmap
      synack-data allow
      invalid-ack allow
      seq-past-window allow
      urgent-flag allow
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    asdm location Branch 255.255.255.0 inside
    no asdm history enable
    arp timeout 14400
    static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
    static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    route inside Branch 255.255.255.0 172.16.1.1 1
    timeout xlate 3:00:00
    timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username ***** password ***** encrypted
    class-map mymap
    match access-list inside_access_in
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    policy-map myPolicy
    class mymap
      set connection advanced-options mssmap
    service-policy global_policy global
    service-policy myPolicy interface inside
    prompt hostname context
    Cryptochecksum:a605d94f29924e5267644dd0f4476145
    : end
    I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
    then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
    "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
    "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
    I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
    please help, any suggest would be great .
    thanks .
    sincerley yours
    -IAN WIJAYA-

    ear Ian_benderaz,
    Thank god i am not alone on this ,
    Me too having the exact same problem , i can ping to the host ,but no remote desktop .
    Somebody please help me on this , how enable remote desktop on asa 5505 
    Thanks 

  • How to configure Cisco ASA 5500 to work with the iPhone

    We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
    http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
    We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
    After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
    Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
    I noticed that many people are having these problems.
    Please do not post to this topic if you have ANY OTHER Cisco device.
    Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
    Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
    It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
    Thank you!
    Oleg R

    We found the solution and a bug in Cisco firmware (seems to be a bug).
    First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set iphone esp-3des esp-sha-hmac
    crypto ipsec transform-set iphone mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
    crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
    crypto map outside_map 10 match address vpn
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 20
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    crypto isakmp nat-traversal 20
    group-policy iphone internal
    group-policy iphone attributes
     wins-server value <insert ip> <insert ip>
     dns-server value <insert ip> <insert ip>
     vpn-tunnel-protocol IPSec
     ipsec-udp enable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value iphone_splitTunnelAcl
     default-domain value <insert domain name>
    tunnel-group iphone type remote-access
    tunnel-group iphone general-attributes
     address-pool VPN-Pool
     authentication-server-group ActiveDirectory2
     default-group-policy iphone
    tunnel-group iphone ipsec-attributes
     pre-shared-key <insert pre-shared key>
    For iPhone you have to be using IPSec tab for configuration.
    We tried to set up this config using the wizards, but it would not work.
    Later it turned out that wizards by default set this setting:
    "crypto isakmp nat-traversal 20"
    equal to zero and there is no way to change it from the GUI.
    Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
    Please let me know how it works out for you.
    Message was edited by: Rogik
    Message was edited by: Rogik

  • Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

    I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
    home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

    Hi,
    Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

  • How to configure oracle listener profile for multiple oracle database

    Hi,
    I am going to install solution manager system in the same server of ERP EHP4 on Windows. Both DB are oracle.
    I'd like to know how to configure listener in this kind of envirnmonent.
    a. use two listener and different ports
    b. use same listener but different ports
    c. use same listener and same port
    Which is the correct mothed?
    And, after installation, there seem three set of profiles of listten, one for ERP, one for SLM, and the other for OS?(%windir%system32), which one is functional?
    Please advise.
    Thanks a lot.
    Regards,
    Alex

    Hi,
    standard installation is creating new configs for listener for each instance.
    I would recommend to use one listener per each instance.
    YOU CAN NOT HAVE one port number for two differnet systems!
    If you want to use one listener than you must adapt tnsnames.ora, listener.ora and ensure that both systems will use different port numbers.
    For example PORT= 15<system number>
    Peter

  • How to configure request manager service for multiple website in one web application

    I have set up sp 2013 as below:
     web application : wa1
    site collection : sc1
    sp site: site1, site2
    I used 2 WFE, 1 APP, how can I use request manager service to control  site1 to wfe1, site2 to wfe2?
    Awen

    That's not what i'd describe as load balancing.
    A better description would be load-isolation. In your description then if the load on site1 was large (and growing) but site2 was quiet then site1 would struggle and eventually become unable to handle the number of users but site2 would still be ok. That's
    fine from a QOS point of view but it's not the norm for load balancing. It would work in simple scenarios but the out of the box load balancing tools are much better suited than that sort of approach.
    This article shows how to configure the RMS and may help show how your request is difficult to configure:
    http://www.harbar.net/articles/sp2013rm2.aspx

  • How to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

    how to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

    Hi ,
     Have you got any additional public IP Address from your service provider , If yes on router you can have static route for those additional IP Address pointing to your ASA  outside interface . 
    Accordingly you can configure NAT 
    HTH
    Sandy . 

  • Cisco ASA 5512 two interfaces

    i have an Cisco ASA 5512 working as Firewall
    We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
    Now we have an extra internet connection ADSL 2MB connected to another ASA interface  
    I configure the ASA like this :
    1-    Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range ) 
    2-    Create Access rule say source (My computer ip) destination  ADSL network range action accept
    3-    Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
    4-    Add static route say ADSL interface source ip my ip gateway ADSL router
    This steps what I do but it doesn't work.
    Thanks in advance

    FYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
    Either attach your config or paste the relevant config in post.

  • Cisco ASA 5512 Transparent mode

                       Hi all - hope this is the right place to ask this question-
    I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
    I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
    I have the interfaces set up thusly:
    interface GigabitEthernet0/0
    nameif UnTrustedNetwork
    security-level 0
    interface GigabitEthernet0/1
    nameif TrustedNetwork
    security-level 100
    interface Management0/0
    nameif ManagementAccess
    security-level 100
    ip address 192.168.X.Y 255.255.255.0
    management-only
    I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
    other networks, like 10.6.X.Y, etc.
    I thought the point of a Management interface was that you could set things up in such a way that the Management interface
    was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
    (at least not in transparent mode, for NAT you obviously would have to)
    I tried to add a static route entry to 10.6.X.Y , but
    when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
    How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

    transparent firewall is configured differently from routed mode.
    here's a basic config required:
    firewall transparent               (erases the current config; does not require a reboot)
    interface BVI1
    ip address 192.168.10.10 255.255.255.0
    interface GigabitEthernet0
    nameif outside
    bridge-group 1
    security-level 0
    interface GigabitEthernet1
    nameif inside
    bridge-group 1
    security-level 100
    route outside 0.0.0.0 0.0.0.0 192.168.10.254
    route inside 10.0.0.0 255.0.0.0 192.168.10.100
    I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
    The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
    Hope that helps,
    Patrick

  • How to Configure ODI Console to Connect Multiple Master Repositories

    Hi,
    Can anybody help me in following,
    1. How to configure ODI Console to access Multiple Master Repositories and its corresponding Work Repository?
    2. Solutions are not supported by ODI Console? Is it possible to import scenarios as solutions in ODI Console?
    Thanks
    MT

    MT,
    1. I can only speak on my own experience in setting up the ODI console, but my understanding is that the console is configured against a single master repository - the connection details are picked up when the WebLogic server starts.  If I'm wrong, I'm sure one of the gurus will correct me.
    2. I haven't come across a way to do this - I'm using 11.1.1.5.  Aside from my initial go-live, I tend to only promote individual scenarios across environments.  For the rare occasion when I need to do a larger bulk import I'll just use ODI Studio.

  • Block / Deny ICMP Traffic cisco asa 5512-x

    hi expert
    I have cisco asa 5512x for configure as firewall and sslvpn.
    my customer want block/Deny icmp traffic from interface outside without block anything.
    i've configure form cli :
    icmp deny any outside
    but from outside can't open sslvpn url and asdm.

    Hi,
    Access for the Anyconnect/ASDM does not depend on the ICMP permit/deny commands on the ASA device.
    If you want to block the Pings to the ASA interface use the command:-
    icmp deny any outside etc.
    What do you mean by "i can ping from outside." Plzz explain.
    Thanks and Regards,
    Vibhor Amrodia

  • How to use one email adress for multiple recipients

    Hello,
    I'd like to know how to use one email adress for multiple recipients. 
    this would be very useful or projects. for example;
    if i send one mail to [email protected], all people in this project get an email.
    I will add the people in this project myself. 
    I know it is possible, but I don't know how to do it ;-)
    please help me! 

    Hope this help.
    _http://technet.microsoft.com/en-us/library/cc164331(v=exchg.65) .aspx

  • How to configure Automatic Account Clearing for A/R

    Hi,
    Kindly advice me how to configure  Automatic Account Clearing for A/R
    The client requirement is
    In A/R the customer accounts are not automatically clearing when a payment is posted for that account. We are still seeing all open items and all paid or cleared items when we go to FBL5N and select open items for viewing. Please make account clearing automatic for customer payments.
    Thanks in advance
    Sunitha

    Hi,
    Use T code OB74.
    Maintain for your Chart Of Account, acct type "D", From and to customer accounts and then add the critera you want. Pls note you cannot define more than 5 criteria.
    Then schedule the clearing program job F.13 in the background.
    Cheers.

  • How to configure oracle thin drivers for SUN APPLICATION SERVER

    hi all,
    I am working with EJB with oracle as back-end. I wants to know how to configure oracle thin drivers for the SUN APPLICATION SERVER. Please explain me breifly.
    Advanced thanks to all the replies.
    with regards,
    /kumaraswamy.n

    Kumaraswamy,
    Did you try searching the Internet? Here are the results of my Internet search:
    http://tinyurl.com/zo4gk
    And one of the first hits in the list was this:
    Deploying to a Sun Java System Application Server
    Good Luck,
    Avi.

  • How to configure Oracle Enterprise Manager for ASM RAC Database ?

    Dears,,
    We have two databases (Primary & Standby), each database has two instances
    Database version: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit
    How to configure Oracle Enterprise Manager for this environment ?
    I need documentation for this please.
    Many thanks & Regards,,

    Assuming an agent is running on the servers you want to monitor,
    navigate to the Agent home page (Via setup --> Agent)
    When in the agent home page select 'Add Database'and press [Go]
    Assuming yopur database now gets recognized, select the Configure icon and enter the password for dbsnmp.
    When done, press [Ok] to return to the agent home page.
    Regards
    Rob
    http://oemgc.wordpress.com

Maybe you are looking for

  • BPC 7.0 NW Client Install Error

    Hi Expert: Now I met some problem in install BPC 7.0 NW Client. At the first time, I ask me to provide the XceedZip.dll, however I do not have. So I just cancel the install process. Then, I download the lastest version XceedZip.dll and put it into th

  • 10.5.4 upgrade broke my email password log in?

    On July 1 I installed the 10.5.4 security upgrade. Then whenever I booted up my Mac I get the error message "The POP server "postoffice.pacbell.net" rejected the password for user "dane1234", and asks me to re-enter my password, but doing so doesn't

  • What is the best way to use Berkeley DB, C or C++ interface ?

    Hello, I'm using C++ interface but much samples, solutions and utils are in C. What is the best way to use Berkeley DB, C or C++ interface ? Lets talk a little about this...which is the interface you prefer and why ? Thanks DelNeto

  • Understanding the Creative Cloud Plans for a first-time photoshop user

    I've never had photoshop before and I downloaded just the free 30-day trial. Then I purchased the Creative Cloud Photography plan (the one that's 9.99 a month). But I need help understanding what this offer me, because in the description this seemed

  • Can we Receive Response back to IDOC's

    Hi, I want to receive the Response back to IDOC. Can IDOC handle with the Response from the Receiver Applications?? Not From XI System using ALEAUDIT. Regards Suman