Configure Cisco ASA for two internet links
Hi,
for now I don't have complete information, but I would like so get some suggestions.
Costumer has single LAN subnet and two internet connections with two fixed IP addresses.
A couple of servers (5-10) uses Cisco ASA as gateway connected to first internet connection.
All other computers are configured via DHCP to use ISA server as gateway connected to second internet connection.
Now they want to retire ISA server and connect everything to Cisco ASA, but they want to maintain the same traffic flow - Servers should use first internet connection, client computers the second.
On both internet connections there are configured a couple of port forwardings.
Any suggestions about how the Cisco should be configured. One idea is to use additional two lan ports configured with IP addresses of ISA server. So Cisco would have two public IP addr. (different subnet) and two LAN IP addr. (same subnet), two NATs, ...
Thank you!
for now I don't have complete information, but I would like so get some suggestions.
Costumer has single LAN subnet and two internet connections with two fixed IP addresses.
A couple of servers (5-10) uses Cisco ASA as gateway connected to first internet connection.
All other computers are configured via DHCP to use ISA server as gateway connected to second internet connection.
Now they want to retire ISA server and connect everything to Cisco ASA, but they want to maintain the same traffic flow - Servers should use first internet connection, client computers the second.
On both internet connections there are configured a couple of port forwardings.
Any suggestions about how the Cisco should be configured. One idea is to use additional two lan ports configured with IP addresses of ISA server. So Cisco would have two public IP addr. (different subnet) and two LAN IP addr. (same subnet), two NATs, ...
Thank you!
ASKER
Sorry, as I suspected, the info I had was incomplete.
It is not Cisco ASA, but Cisco 892 with 15.1.1T IOS and it looks that it is a single internet connection with two IP addresses. It does support PBR, but I don't think that I need to use load balancing.
I'm thinking how to set everything as simple as possible. Probably using first internet connection (IP address) to access server services from internet (exchange server, web server,...) and second one for all other traffic would ease things a little bit.
It is not Cisco ASA, but Cisco 892 with 15.1.1T IOS and it looks that it is a single internet connection with two IP addresses. It does support PBR, but I don't think that I need to use load balancing.
I'm thinking how to set everything as simple as possible. Probably using first internet connection (IP address) to access server services from internet (exchange server, web server,...) and second one for all other traffic would ease things a little bit.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have prepared some configuration changes and I would like your opinion if I had done something wrong. Yes, I know, that you cannot be 100% sure without the whole configuration.
Where is question mark, I'm not sure whether to use that option.
1.2.3.4 is secondary external IP address.
Add static NAT rules:
ip nat inside source static tcp 192.168.1.199 21 1.2.3.4 21 (extendable?)
ip nat inside source static tcp 192.168.1.193 3343 1.2.3.4 3343 (extendable?)
ip nat inside source static tcp 192.168.1.197 3337 1.2.3.4 3389 (extendable?)
(existing NAT rules use "interface fastethernet8" instead of primary external IP address)
Add secondary IP address on external interface fastethernet8:
ip address 1.2.3.4 255.255.0.0 secondary
Add ACLs for PBR:
ip access-list ext ACL_PBR1
permit tcp any any eq 21
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any range 60000 60003
ip access-list ext ACL_PBR2
permit tcp any any
permit ip any any
Add route-map for PBR:
route-map PBR1 permit 100
match ip address ACL_PBR1
set ip next-hop 1.2.3.1 (GW of secondary external IP address)
route-map PBR1 permit 200
match ip address ACL_PBR2
set ip next-hop 1.1.1.1 (GW of primary external IP address, all other traffic from LAN should go thru this GW)
Set route-map on internal interface VLAN1
ip policy route-map PBR1
ip route-cache policy (?)
Remove defoult route: ip route 0.0.0.0 ....
Thx!
Where is question mark, I'm not sure whether to use that option.
1.2.3.4 is secondary external IP address.
Add static NAT rules:
ip nat inside source static tcp 192.168.1.199 21 1.2.3.4 21 (extendable?)
ip nat inside source static tcp 192.168.1.193 3343 1.2.3.4 3343 (extendable?)
ip nat inside source static tcp 192.168.1.197 3337 1.2.3.4 3389 (extendable?)
(existing NAT rules use "interface fastethernet8" instead of primary external IP address)
Add secondary IP address on external interface fastethernet8:
ip address 1.2.3.4 255.255.0.0 secondary
Add ACLs for PBR:
ip access-list ext ACL_PBR1
permit tcp any any eq 21
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any range 60000 60003
ip access-list ext ACL_PBR2
permit tcp any any
permit ip any any
Add route-map for PBR:
route-map PBR1 permit 100
match ip address ACL_PBR1
set ip next-hop 1.2.3.1 (GW of secondary external IP address)
route-map PBR1 permit 200
match ip address ACL_PBR2
set ip next-hop 1.1.1.1 (GW of primary external IP address, all other traffic from LAN should go thru this GW)
Set route-map on internal interface VLAN1
ip policy route-map PBR1
ip route-cache policy (?)
Remove defoult route: ip route 0.0.0.0 ....
Thx!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PBR is not working properly, but I will try to resolve the problem when I will have a little more time. I probably will open a new question. Thank you for now!
https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa