Cisco ASA 5505 with Security Plus - 2 ISP's with NAT's to internal hosts from each ISP?

Hello,

I have a Cisco ASA 5505 with security plus licensing and unlimited hosts that currently has (2) ISP's installed:

VLAN 1:  INSIDE
VLAN 2:  OUTSIDE-1 (ISP 1 = /29 from tier 1 ISP)
VLAN 3:  OUTSIDE-2 (ISP 2 = /29 from tier 1 ISP)

I have set ROUTE OUTSIDE statement as:

route outside 0.0.0.0 0.0.0.0 ISP-1-GATEWAY 1 (metric of 1)
route outside 0.0.0.0 0.0.0.0 ISP-2-GATEWAY 2 (metric of 2)

I am not sure how to setup the NAT statement (state inside,outside) so that an IP address on ISP-2 will statically translate the same as the ones that I have on ISP-1 using standard static (inside,outside) statements.  I UNDERSTAND that to do this correctly, we need Policy Based Routing (PBR) and that the ASA does not do this, but I have seen examples of differnet NAT statements that have gotten this to be able to work in some capacity.

The IOS version is 8.25
LVL 5
jkeegan123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
I think you can plainly create two nat statements pointed at the same inside IP, but using the respective outside IP addresses. I don't know for sure if this is possible with 8.2.5 code, but I know I can do it on 8.3+ code. In 8.3+, you end up needing to make what is essentially duplicate host objects (two objects with the same host IP defined) with nat statements.

I *think* with the two nat statements in place, connections initiated from the outside will work simultaneously on those nat statements only because the return traffic will have an existing nat translation to work with. However, outbound connections initiated from your server will only be able to use the primary/active default route and associated NAT statements. The only way I've been able to "load balance" was to setup nat statements based on outside destinations, but that doesn't really work well unless you have a very specific destination to be used, such as an email smarthost.
0
jkeegan123Author Commented:
I don't need NAT statements to point to the same IP on both ISP's, it would be a separate NAT statement that would ONLY be on ISP 2....possible?
0
rauenpcCommented:
Yes, what I mean was that you should be able to make nat statements:
inside 192.168.1.1 outside1 x.x.x.x
inside 192.168.1.1 outside2 y.y.y.y
and have those exist at the same time. If you are looking to direct 192.168.1.1 out outside2 when everyone else is using outside1, then you are probably going to have some troubles.
0
Pete LongTechnical ConsultantCommented:
Agreed, you can have static translations, and use port forwarding in this configuration.
Also (surprisingly, and contrary to what you will read) if traffic was coming form outside to an internal IP (i.e a web server or a mail server, then both the public IP addresses can be used at the same time)
Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs



Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.