Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

Cisco ASA 5510 - failover setup

Environment

Cisco ASA 5510, we are using  ASDM 6.1 as a management tool.

Objective
The objective is to NAT one external IP address to  two internal IPs with the ability to failover from one of the internal IP addresses to another.
e.g.
Public IP 1.2.3.4 and 2 Internal IPs {10.0.0.4, 10.0.0.5}

Current Setup

we have 1 - 1 Nat
Always 1.2.3.4  -> 10.0.0.4

What we would like to setup

We would like to change the settings so when a failure is detected on 10.0.0.4 the NAT rules fails over to 10.0.0.5 and vise versa
0
atigris
Asked:
atigris
3 Solutions
 
anoopkmrCommented:
for the traffic comming from internet to inisde then the one to one static nat has to be unique.
if we nat 1.2.3.4 <-> 10.0.0.4 for all Ip traffic , then we can't use the same 1.2.3.4 for 10.0.0.5
but if we use specific protocol  , then it is possible
for eg  :  1.2.3.4 <-> 10.0.0.4 for ftp services
                1.2.3.4<-> 10.0.0.5 for http services

0
 
anoopkmrCommented:
but  in a different way with two public IP and  one inside server , it is possible

see the url

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

0
 
decoleurCommented:
hello there,

anoopkmr is right, you cannot have a Cisco firewall provide a redundant 1:1 nat for inside hosts. What you need to do is abstract the redundancy from the firewall.

In enterprise web deployments we often leverage a virtual IP for a service and use some sort of mechanism to distribute that among available hosts. It maintains a state table to track the condition of the inside servers and transition from one to another if there is a service interruption.

This also presents challenges, because the session information is not automatically passed between servers. For example I would be on a web store front that is on server 1 with a bunch of stuff in my shopping cart. If I get bumped to server 2 is my shopping cart maintained?

I hope this helps, but what you are asking for cannot be done with just a Cisco Firewall.

-t
0
 
lrmooreCommented:
>The objective is to NAT one external IP address to  two internal IPs
It is not possible with ASA.

What you are looking for is something like a load-balancer that decoleur alludes to above.
0
 
atigrisAuthor Commented:
Thanks for your assistance.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now