Solved

Cisco ASA 5505 with Security Plus - 2 ISP's with NAT's to internal hosts from each ISP?

Posted on 2014-07-30
4
610 Views
Last Modified: 2014-08-11
Hello,

I have a Cisco ASA 5505 with security plus licensing and unlimited hosts that currently has (2) ISP's installed:

VLAN 1:  INSIDE
VLAN 2:  OUTSIDE-1 (ISP 1 = /29 from tier 1 ISP)
VLAN 3:  OUTSIDE-2 (ISP 2 = /29 from tier 1 ISP)

I have set ROUTE OUTSIDE statement as:

route outside 0.0.0.0 0.0.0.0 ISP-1-GATEWAY 1 (metric of 1)
route outside 0.0.0.0 0.0.0.0 ISP-2-GATEWAY 2 (metric of 2)

I am not sure how to setup the NAT statement (state inside,outside) so that an IP address on ISP-2 will statically translate the same as the ones that I have on ISP-1 using standard static (inside,outside) statements.  I UNDERSTAND that to do this correctly, we need Policy Based Routing (PBR) and that the ASA does not do this, but I have seen examples of differnet NAT statements that have gotten this to be able to work in some capacity.

The IOS version is 8.25
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229170
I think you can plainly create two nat statements pointed at the same inside IP, but using the respective outside IP addresses. I don't know for sure if this is possible with 8.2.5 code, but I know I can do it on 8.3+ code. In 8.3+, you end up needing to make what is essentially duplicate host objects (two objects with the same host IP defined) with nat statements.

I *think* with the two nat statements in place, connections initiated from the outside will work simultaneously on those nat statements only because the return traffic will have an existing nat translation to work with. However, outbound connections initiated from your server will only be able to use the primary/active default route and associated NAT statements. The only way I've been able to "load balance" was to setup nat statements based on outside destinations, but that doesn't really work well unless you have a very specific destination to be used, such as an email smarthost.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40229282
I don't need NAT statements to point to the same IP on both ISP's, it would be a separate NAT statement that would ONLY be on ISP 2....possible?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40229297
Yes, what I mean was that you should be able to make nat statements:
inside 192.168.1.1 outside1 x.x.x.x
inside 192.168.1.1 outside2 y.y.y.y
and have those exist at the same time. If you are looking to direct 192.168.1.1 out outside2 when everyone else is using outside1, then you are probably going to have some troubles.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40237037
Agreed, you can have static translations, and use port forwarding in this configuration.
Also (surprisingly, and contrary to what you will read) if traffic was coming form outside to an internal IP (i.e a web server or a mail server, then both the public IP addresses can be used at the same time)
Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs



Pete
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question