Solved

Cisco ASA 5505 with Security Plus - 2 ISP's with NAT's to internal hosts from each ISP?

Posted on 2014-07-30
4
597 Views
Last Modified: 2014-08-11
Hello,

I have a Cisco ASA 5505 with security plus licensing and unlimited hosts that currently has (2) ISP's installed:

VLAN 1:  INSIDE
VLAN 2:  OUTSIDE-1 (ISP 1 = /29 from tier 1 ISP)
VLAN 3:  OUTSIDE-2 (ISP 2 = /29 from tier 1 ISP)

I have set ROUTE OUTSIDE statement as:

route outside 0.0.0.0 0.0.0.0 ISP-1-GATEWAY 1 (metric of 1)
route outside 0.0.0.0 0.0.0.0 ISP-2-GATEWAY 2 (metric of 2)

I am not sure how to setup the NAT statement (state inside,outside) so that an IP address on ISP-2 will statically translate the same as the ones that I have on ISP-1 using standard static (inside,outside) statements.  I UNDERSTAND that to do this correctly, we need Policy Based Routing (PBR) and that the ASA does not do this, but I have seen examples of differnet NAT statements that have gotten this to be able to work in some capacity.

The IOS version is 8.25
0
Comment
Question by:jkeegan123
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229170
I think you can plainly create two nat statements pointed at the same inside IP, but using the respective outside IP addresses. I don't know for sure if this is possible with 8.2.5 code, but I know I can do it on 8.3+ code. In 8.3+, you end up needing to make what is essentially duplicate host objects (two objects with the same host IP defined) with nat statements.

I *think* with the two nat statements in place, connections initiated from the outside will work simultaneously on those nat statements only because the return traffic will have an existing nat translation to work with. However, outbound connections initiated from your server will only be able to use the primary/active default route and associated NAT statements. The only way I've been able to "load balance" was to setup nat statements based on outside destinations, but that doesn't really work well unless you have a very specific destination to be used, such as an email smarthost.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40229282
I don't need NAT statements to point to the same IP on both ISP's, it would be a separate NAT statement that would ONLY be on ISP 2....possible?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229297
Yes, what I mean was that you should be able to make nat statements:
inside 192.168.1.1 outside1 x.x.x.x
inside 192.168.1.1 outside2 y.y.y.y
and have those exist at the same time. If you are looking to direct 192.168.1.1 out outside2 when everyone else is using outside1, then you are probably going to have some troubles.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40237037
Agreed, you can have static translations, and use port forwarding in this configuration.
Also (surprisingly, and contrary to what you will read) if traffic was coming form outside to an internal IP (i.e a web server or a mail server, then both the public IP addresses can be used at the same time)
Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs



Pete
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question