I have a question, I have a pair of ASA5520s that is running in HA configuration. They are currently work fine when I am on the ATT internet. I am working to switch it over from ATT to Comcast internet and the only thing here that is changing is the default route, IPs and the physical connection. So currently the ATT connection is:
ATT:
Interface GigabitEthernet 0/0
ip address 199.1.145.6 255.255.255.0 standby 199.1.145.7
global (outside) 1 65.163.193.100
global (outside) 2 interface
route outside 0.0.0.0 0.0.0.0 199.1.145.4
access-list acl-in extended permit ip any host 65.163.193.10
Comcast:
Interface GigabitEthernet 0/0
ip address 50.224.209.2 255.255.255.248
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 50.224.209.1
access-list acl-in extended permit ip any host 50.224.209.2
Comcast told me that 50.224.209.1 is my gateway
So when I run a packet-tracer when I am on Comcast everything looks good pretty much matches the packet-tracer I ran while on ATT. The only difference is that there is no Route-Lookup while on Comcast but I have the default route pointing to the correct gateway: route outside 0.0.0.0 0.0.0.0 50.224.209.1
My question is, is it because it is set up in a HA configuration while on ATT have something to do with it? Reason why I ask is when I move it over to Comcast all I do is take the physical connection from the dumb switch that both ASA’s are plugged into. I remove the primary ASA connection and plug it directly into the Comcast switch and configure the primary switch to the config mentioned above?
Your HA configuration should not be an issue here. The HA configuration is designed for failover and redundancy, not for routing traffic. It seems like you have everything set up correctly for the switch to Comcast.
I don’t have a definitive answer for you for your particular scenario, but here are a few things you may want to check to determine where the issue lies:
The lack of Route-Lookup on Comcast may be due to how the packet-tracer is being run. If you’re running a packet-tracer with a source IP that’s already on the outside interface subnet, then it wouldn’t need to do a Route-Lookup because it’s directly connected.
One thing you might want to check is to ensure that Comcast has properly routed your public IP block to your Comcast gateway IP. This is something that they would need to do on their end.
Also, make sure your NAT rules are updated to reflect the new IP address configuration for Comcast.
Lastly, ensure that the physical connections are correct. Once the primary ASA is disconnected from the ATT network, the secondary ASA will become active. When you connect the primary ASA to the Comcast network, it should become active again.
Thank you for your help, I figured out why it wasn’t working. long story short…any if anyone wants the full details let me know, but what happened is that there were 3 connections. One went to ATT, the second went to my internal network and the third connection said it was comcast. When I asked about it I was told that it was an old connection that was decommed 2 yrs ago. Lesson learned here…don’t believe anyone verify for your own sake. That so called 3rd connection was actually connect to the internal network as well so when the second connection was removed I still had a connection to ATT. Once I removed that 3rd connection that still didn’t help it was a combination of removing the 3rd connection and doing:
clear xlat
clear connections
clear arp
that got it to work. But I appreciate your help!!!
That’s a very useful sentiment! There were many times that I got stuck because I considered what someone had told me to be true. And I couldn’t figure out what was happening until I questioned the initial info they gave me. If you didn’t set up the network, don’t blindly accept whatever they tell you, verify it yourself. More often than not you will save yourself time and grief.
As always, thanks for keeping us updated with the results! It’s always useful and satisfying to hear about how things get resolved.