Cisco ASA 5510 - failover setup

Environment

Cisco ASA 5510, we are using  ASDM 6.1 as a management tool.

Objective
The objective is to NAT one external IP address to  two internal IPs with the ability to failover from one of the internal IP addresses to another.
e.g.
Public IP 1.2.3.4 and 2 Internal IPs {10.0.0.4, 10.0.0.5}

Current Setup

we have 1 - 1 Nat
Always 1.2.3.4  -> 10.0.0.4

What we would like to setup

We would like to change the settings so when a failure is detected on 10.0.0.4 the NAT rules fails over to 10.0.0.5 and vise versa
LVL 2
atigrisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
for the traffic comming from internet to inisde then the one to one static nat has to be unique.
if we nat 1.2.3.4 <-> 10.0.0.4 for all Ip traffic , then we can't use the same 1.2.3.4 for 10.0.0.5
but if we use specific protocol  , then it is possible
for eg  :  1.2.3.4 <-> 10.0.0.4 for ftp services
                1.2.3.4<-> 10.0.0.5 for http services

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
anoopkmrCommented:
but  in a different way with two public IP and  one inside server , it is possible

see the url

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

0
decoleurCommented:
hello there,

anoopkmr is right, you cannot have a Cisco firewall provide a redundant 1:1 nat for inside hosts. What you need to do is abstract the redundancy from the firewall.

In enterprise web deployments we often leverage a virtual IP for a service and use some sort of mechanism to distribute that among available hosts. It maintains a state table to track the condition of the inside servers and transition from one to another if there is a service interruption.

This also presents challenges, because the session information is not automatically passed between servers. For example I would be on a web store front that is on server 1 with a bunch of stuff in my shopping cart. If I get bumped to server 2 is my shopping cart maintained?

I hope this helps, but what you are asking for cannot be done with just a Cisco Firewall.

-t
0
lrmooreCommented:
>The objective is to NAT one external IP address to  two internal IPs
It is not possible with ASA.

What you are looking for is something like a load-balancer that decoleur alludes to above.
0
atigrisAuthor Commented:
Thanks for your assistance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.