Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505 with Security Plus - 2 ISP's with NAT's to internal hosts from each ISP?

Posted on 2014-07-30
4
Medium Priority
?
636 Views
Last Modified: 2014-08-11
Hello,

I have a Cisco ASA 5505 with security plus licensing and unlimited hosts that currently has (2) ISP's installed:

VLAN 1:  INSIDE
VLAN 2:  OUTSIDE-1 (ISP 1 = /29 from tier 1 ISP)
VLAN 3:  OUTSIDE-2 (ISP 2 = /29 from tier 1 ISP)

I have set ROUTE OUTSIDE statement as:

route outside 0.0.0.0 0.0.0.0 ISP-1-GATEWAY 1 (metric of 1)
route outside 0.0.0.0 0.0.0.0 ISP-2-GATEWAY 2 (metric of 2)

I am not sure how to setup the NAT statement (state inside,outside) so that an IP address on ISP-2 will statically translate the same as the ones that I have on ISP-1 using standard static (inside,outside) statements.  I UNDERSTAND that to do this correctly, we need Policy Based Routing (PBR) and that the ASA does not do this, but I have seen examples of differnet NAT statements that have gotten this to be able to work in some capacity.

The IOS version is 8.25
0
Comment
Question by:jkeegan123
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229170
I think you can plainly create two nat statements pointed at the same inside IP, but using the respective outside IP addresses. I don't know for sure if this is possible with 8.2.5 code, but I know I can do it on 8.3+ code. In 8.3+, you end up needing to make what is essentially duplicate host objects (two objects with the same host IP defined) with nat statements.

I *think* with the two nat statements in place, connections initiated from the outside will work simultaneously on those nat statements only because the return traffic will have an existing nat translation to work with. However, outbound connections initiated from your server will only be able to use the primary/active default route and associated NAT statements. The only way I've been able to "load balance" was to setup nat statements based on outside destinations, but that doesn't really work well unless you have a very specific destination to be used, such as an email smarthost.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40229282
I don't need NAT statements to point to the same IP on both ISP's, it would be a separate NAT statement that would ONLY be on ISP 2....possible?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229297
Yes, what I mean was that you should be able to make nat statements:
inside 192.168.1.1 outside1 x.x.x.x
inside 192.168.1.1 outside2 y.y.y.y
and have those exist at the same time. If you are looking to direct 192.168.1.1 out outside2 when everyone else is using outside1, then you are probably going to have some troubles.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40237037
Agreed, you can have static translations, and use port forwarding in this configuration.
Also (surprisingly, and contrary to what you will read) if traffic was coming form outside to an internal IP (i.e a web server or a mail server, then both the public IP addresses can be used at the same time)
Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs



Pete
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month6 days, 2 hours left to enroll

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question