Solved

Cisco ASA 5510 - failover setup

Posted on 2010-08-17
5
693 Views
Last Modified: 2013-11-16
Environment

Cisco ASA 5510, we are using  ASDM 6.1 as a management tool.

Objective
The objective is to NAT one external IP address to  two internal IPs with the ability to failover from one of the internal IP addresses to another.
e.g.
Public IP 1.2.3.4 and 2 Internal IPs {10.0.0.4, 10.0.0.5}

Current Setup

we have 1 - 1 Nat
Always 1.2.3.4  -> 10.0.0.4

What we would like to setup

We would like to change the settings so when a failure is detected on 10.0.0.4 the NAT rules fails over to 10.0.0.5 and vise versa
0
Comment
Question by:atigris
5 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 167 total points
ID: 33457932
for the traffic comming from internet to inisde then the one to one static nat has to be unique.
if we nat 1.2.3.4 <-> 10.0.0.4 for all Ip traffic , then we can't use the same 1.2.3.4 for 10.0.0.5
but if we use specific protocol  , then it is possible
for eg  :  1.2.3.4 <-> 10.0.0.4 for ftp services
                1.2.3.4<-> 10.0.0.5 for http services

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33457960
but  in a different way with two public IP and  one inside server , it is possible

see the url

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

0
 
LVL 18

Assisted Solution

by:decoleur
decoleur earned 167 total points
ID: 33458686
hello there,

anoopkmr is right, you cannot have a Cisco firewall provide a redundant 1:1 nat for inside hosts. What you need to do is abstract the redundancy from the firewall.

In enterprise web deployments we often leverage a virtual IP for a service and use some sort of mechanism to distribute that among available hosts. It maintains a state table to track the condition of the inside servers and transition from one to another if there is a service interruption.

This also presents challenges, because the session information is not automatically passed between servers. For example I would be on a web store front that is on server 1 with a bunch of stuff in my shopping cart. If I get bumped to server 2 is my shopping cart maintained?

I hope this helps, but what you are asking for cannot be done with just a Cisco Firewall.

-t
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 166 total points
ID: 33459963
>The objective is to NAT one external IP address to  two internal IPs
It is not possible with ASA.

What you are looking for is something like a load-balancer that decoleur alludes to above.
0
 
LVL 2

Author Closing Comment

by:atigris
ID: 33502885
Thanks for your assistance.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Phone implementation supported backups 1 44
unable to set full duplex 100 on WAN interface 11 82
IP Jumping 6 25
Cisco 3650x ACL 8 11
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question