Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5505 with Security Plus - 2 ISP's with NAT's to internal hosts from each ISP?

Posted on 2014-07-30
4
Medium Priority
?
628 Views
Last Modified: 2014-08-11
Hello,

I have a Cisco ASA 5505 with security plus licensing and unlimited hosts that currently has (2) ISP's installed:

VLAN 1:  INSIDE
VLAN 2:  OUTSIDE-1 (ISP 1 = /29 from tier 1 ISP)
VLAN 3:  OUTSIDE-2 (ISP 2 = /29 from tier 1 ISP)

I have set ROUTE OUTSIDE statement as:

route outside 0.0.0.0 0.0.0.0 ISP-1-GATEWAY 1 (metric of 1)
route outside 0.0.0.0 0.0.0.0 ISP-2-GATEWAY 2 (metric of 2)

I am not sure how to setup the NAT statement (state inside,outside) so that an IP address on ISP-2 will statically translate the same as the ones that I have on ISP-1 using standard static (inside,outside) statements.  I UNDERSTAND that to do this correctly, we need Policy Based Routing (PBR) and that the ASA does not do this, but I have seen examples of differnet NAT statements that have gotten this to be able to work in some capacity.

The IOS version is 8.25
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229170
I think you can plainly create two nat statements pointed at the same inside IP, but using the respective outside IP addresses. I don't know for sure if this is possible with 8.2.5 code, but I know I can do it on 8.3+ code. In 8.3+, you end up needing to make what is essentially duplicate host objects (two objects with the same host IP defined) with nat statements.

I *think* with the two nat statements in place, connections initiated from the outside will work simultaneously on those nat statements only because the return traffic will have an existing nat translation to work with. However, outbound connections initiated from your server will only be able to use the primary/active default route and associated NAT statements. The only way I've been able to "load balance" was to setup nat statements based on outside destinations, but that doesn't really work well unless you have a very specific destination to be used, such as an email smarthost.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40229282
I don't need NAT statements to point to the same IP on both ISP's, it would be a separate NAT statement that would ONLY be on ISP 2....possible?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229297
Yes, what I mean was that you should be able to make nat statements:
inside 192.168.1.1 outside1 x.x.x.x
inside 192.168.1.1 outside2 y.y.y.y
and have those exist at the same time. If you are looking to direct 192.168.1.1 out outside2 when everyone else is using outside1, then you are probably going to have some troubles.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40237037
Agreed, you can have static translations, and use port forwarding in this configuration.
Also (surprisingly, and contrary to what you will read) if traffic was coming form outside to an internal IP (i.e a web server or a mail server, then both the public IP addresses can be used at the same time)
Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs



Pete
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question