• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 704
  • Last Modified:

Cisco ASA 5510 - failover setup

Environment

Cisco ASA 5510, we are using  ASDM 6.1 as a management tool.

Objective
The objective is to NAT one external IP address to  two internal IPs with the ability to failover from one of the internal IP addresses to another.
e.g.
Public IP 1.2.3.4 and 2 Internal IPs {10.0.0.4, 10.0.0.5}

Current Setup

we have 1 - 1 Nat
Always 1.2.3.4  -> 10.0.0.4

What we would like to setup

We would like to change the settings so when a failure is detected on 10.0.0.4 the NAT rules fails over to 10.0.0.5 and vise versa
0
atigris
Asked:
atigris
3 Solutions
 
anoopkmrCommented:
for the traffic comming from internet to inisde then the one to one static nat has to be unique.
if we nat 1.2.3.4 <-> 10.0.0.4 for all Ip traffic , then we can't use the same 1.2.3.4 for 10.0.0.5
but if we use specific protocol  , then it is possible
for eg  :  1.2.3.4 <-> 10.0.0.4 for ftp services
                1.2.3.4<-> 10.0.0.5 for http services

0
 
anoopkmrCommented:
but  in a different way with two public IP and  one inside server , it is possible

see the url

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

0
 
decoleurCommented:
hello there,

anoopkmr is right, you cannot have a Cisco firewall provide a redundant 1:1 nat for inside hosts. What you need to do is abstract the redundancy from the firewall.

In enterprise web deployments we often leverage a virtual IP for a service and use some sort of mechanism to distribute that among available hosts. It maintains a state table to track the condition of the inside servers and transition from one to another if there is a service interruption.

This also presents challenges, because the session information is not automatically passed between servers. For example I would be on a web store front that is on server 1 with a bunch of stuff in my shopping cart. If I get bumped to server 2 is my shopping cart maintained?

I hope this helps, but what you are asking for cannot be done with just a Cisco Firewall.

-t
0
 
lrmooreCommented:
>The objective is to NAT one external IP address to  two internal IPs
It is not possible with ASA.

What you are looking for is something like a load-balancer that decoleur alludes to above.
0
 
atigrisAuthor Commented:
Thanks for your assistance.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now