asked on

HOW TO NAT INCOMING INTERNET TRAFFIC

Hi all

I have two Cisco 2921 routers both connected to the outside interface of an ASA 5520. Each router is connected to a ISP ISP A & ISP B, all the web servers from ISP A will have their IP addresses migrated to those belonging to ISP B

The web servers are located on the DMZ of the ASA . Is it possible to NAT incoming (internet initiated) source traffic to say an overload PAT address in order to be able to control which router(and which ISP) the outgoing internet traffic will go out on

I hope that makes sense :)

Thanks in advance

Cyclops3590

From what I can see, yes this is very possible*(I'll explain asterisk in a bit); if I'm understanding it right. Correct me if I'm wrong, but it looks like the following is what you have:

Clients ISP A ---> Router ISP A ----|
----> ASA ----> Server
Clients ISP B ----> Router ISP B ------|

And you already NAT traffic going to the server at the ASA? to the server. Since you are migrating ISPs, you will have two IPs for the internal server. Here's one of the asterisk points. You can't do normal NAT with both ISP public IPs to the server on the ASA. So you'd need to do Policy NAT in order for it to work. The reason is that the ASA needs to know how to translate return traffic. If there are 2 possible IPs, which does it use. So you will need 2 ACLs and 2 NAT entries. One ACL we will use for the ISP A since you're migrating from that. Just say source of server and destination of ISP A IP* (I'll get to this one in just a moment as well). Then you create a static NAT entry specifying the public IP for ISP A with that access list. Then you create another ACL for ISP B that say to deny to ISP A IP and then accept everything else. Apply that to a static NAT entry as well but with the ISP B address.

Next you setup the overload NAT'ing for clients coming into your network. This is where I explain the second asterisk. When clients come in via ISP A, I would have that router perform an outside NAT overload on all traffic coming in. The same for ISP B router. This can be a RFC1918 IP address that is not even used anywhere else. Say, you use 172.16.1.1 on ISPA for nat'ing and 172.17.1.1 for ISPB. Then you just add static routes on the ASA. Then when you create those ACLs for policy NAT on the ASA you use the IPs you assigned for NAT'ing here. Also, incase you were wondering, on ISP B you do a deny and then accept all so that when the server itself needs to go out it has the ISP B IP to NAT to. If you don't want that then you specify the ISP B address only. The server would then use some other translation rule to get out for its own traffic.

Summary:
Clients coming in get outside PAT at router
ASA policy NATs the server to a public IP.

s1mwat

ASKER

Thanks for such an excellent answer cyclops, I need to get my head around a couple of things, will your solution work if one of my web servers was in the midst of a DNS change i.e. the public IP address of the web server that is associated to a URL is in the process to change from an ISP A address to a ISP B address. if we say the web server has a url of "webaddress.com" has a ISP A public address of a.a.a.a and the migrated ISP B address is b.b.b.b, it may take a little while for the migrated address to cover the whole of the internet will mean that some parts of the internet web address.com would resolve to the new address of b.b.b.b whilst other parts of the internet would still resolve to the original address of a.a.a.a.

So both ISP's address for web server.com could be in use simultaneously, would your solution cover for that if so can you give me a sample config

Thanks

ASKER CERTIFIED SOLUTION

Cyclops3590

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

s1mwat

ASKER

Many thanks for the info.