Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT question - 2 outside interfaces

Status
Not open for further replies.
yanks2112

yanks2112

IS-IT--Management
Jan 5, 2004
110
US
Hello

I have an ASA 5510 8.2(1) that is setup up for a site-to-site vpn with our partner. There are two spare ports and I am trying to use those ports for an alternate path to the internet (we are procuring a couple of video conferencing devices and want to send that traffic out the ASA). I have configured an internal internal interface and an external interface. I created both a Global and Static NAT but nothing seems to work. When I try to access an external website, I see:
Built local-host VTC:143.166.83.38 followed by:

Deny TCP (no connection) from 143.166.83.38/80 to 10.76.253.141/63215 flags SYN ACK on interface VTC

What I have for my NAT statements are:
Global (newDMZ) 2 interface
nat (VTC) 2 10.76.25.141 255.255.255.255

I have also tried the following:
static (VTC,newDMZ) interface 10.76.25.141 netmask 255.255.255.255

I cant seem to get the internal IP address to translate to the external IP address. The NAT config is pasted below. Thanks in advanced!

nat-control
global (SiteVPN) 1 interface
global (newDMZ) 2 interface
nat (MP25) 0 access-list no_nat
nat (VTC) 2 10.76.25.141 255.255.255.255
static (MP25,xSiteVPN) x.x.x.8 10.76.3.12 netmask 255.255.255.255
access-group newDMZ_access_in in interface newDMZ
access-group newDMZ_access_out out interface newDMZ
access-group VTC_access_in in interface VTC
access-group outbound out interface VTC

access-list VTC_access_in extended permit ip any any
access-list newDMZ_access_out extended permit ip any any
access-list newDMZ_access_in extended permit ip any any
access-list newDMZ outbound extended permit ip any any
 
Sort by date Sort by votes
I think multi wan requires a licence

However the ASA (at the moment) doesnt do fail over or load balancing for dual wan.

ACSS - SME
General Geek

CallUsOn.png


1832163.png
 
Upvote 0 Downvote
Thanks for the reply, its a shame. I had an an older Netgear firewall that I was able to use. Thanks again
 
Upvote 0 Downvote
Does your 5510 have a security plus license? If not, you can only use three off the interfaces. I am confused by your interface names as I can't tell what is an external interface and what interface is internal. Thus, I can't offer any suggestions for the nat configuration. The only limitation on the ASA is that you can't have 2 default routes. Other than that you can do interface tracking for failover, but there is no load balancing.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
353
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
313
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
258
nnaarrnn
nnaarrnn
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
75
steve777777
steve777777
handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
65
handle2110
handle2110

Part and Inventory Search

Sponsor

Back
Top