We have a network with multiple ISPs, each with a separate firewall and router in the middle performing “policy based routing” (see simplistic diagram attachment). I am investigating a way to have the same internal server published on both ISPs, at the same time. Each ISP would use its own IP addresses (no BGP). I know that Cisco doesn’t normally support an active/active mode on two ISPs, without running BGP. Is there any way to accomplish this?
When I was thinking about this I was wondering if on one of the firewalls (let’s call it the secondary firewall) we setup both source and destination NAT. We could use this to publish a server onto the internet with an IP from the second ISP, as well as setup NAT to use a private address to mask internet sourced traffic in our internal network. Finally, setup our core router to route traffic with the masked private address to the secondary firewall. We have familiarity with setting up both source and destination NAT at the same time and know it works. The main issue with this setup is all internal logs would see internet traffic with the masked private address which could make troubleshooting and security investigation more difficult. However, would this work? Are there other ways that are more supported?
We use completely Cisco devices with the firewalls as Cisco ASA 5510 and the core internal router as a Cisco 2921. SimpleLANDiagram.png
”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
-Mike Kapnisakis, Warner Bros
With your subscription - you'll gain access to our exclusive IT community of thousands of IT pros. You'll also be able to connect with highly specified Experts to get personalized solutions to your troubleshooting & research questions. It’s like crowd-sourced consulting.
We can't always guarantee that the perfect solution to your specific problem will be waiting for you. If you ask your own question - our Certified Experts will team up with you to help you get the answers you need.
Our certified Experts are CTOs, CISOs, and Technical Architects who answer questions, write articles, and produce videos on Experts Exchange. 99% of them have full time tech jobs - they volunteer their time to help other people in the technology industry learn and succeed.
We can't guarantee quick solutions - Experts Exchange isn't a help desk. We're a community of IT professionals committed to sharing knowledge. Our experts volunteer their time to help other people in the technology industry learn and succeed.