topic Re: Since you have IP Sla, ISP-2 in Network Security

Dual-ISP Public IP Redundancy for a single inside server NATed for Outside Access

Dean Romanelli — Tue, 12 Mar 2019 07:13:52 GMT

Hi All,

Currently I have a 6509 switch which connects to an HA-Pair of 5520's. The 5520's connect to both ISP 1 (12.x.x.x) & ISP 2 (50.x.x.x). I have an inside server farm on 192.168.0.0/24, and many of these servers need to be accessed from the outside, which requires public NATs in my ASA, which I have. However, currently we are only NATing the inside 192.168.0.0/24 farm addresses to available public IP's within the subnet block ISP 1 has given to us on the 12.x.x.x/27 space. An example is below:

object network corpmobile.domain.com
host 192.168.0.17

object network corpmobile.domain.com-public
host 12.x.xxx.17

object network corpmobile.domain.com
nat (inside,outside) static corpmobile.domain.com-public

In the event ISP 1 fails, these services will no longer be accessible from the outside, since ISP 2 is on a 50.x.x.x/27 space, and the static NATs for the inside services are on 12.x.x.x/27 (ISP 1, which would be down).

Is there a way I can configure the ASA to static NAT a single inside server to respond when tried from outside on a 50.x.x.x/27 AND a 12.x.x.x/27 address so that if ISP 1 is down, my services will still be accessible via ISP 2 via to 50.x.x.x/27 NAT?

Drawing of existing topology attached for a visual if needed.

This document should be very

Syed Taukir — Tue, 02 Feb 2016 18:27:52 GMT

This document should be very helpful. IP Sla and using backup routes

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

If your ASA has a default route via ISP-1 then there's no problem. Incase your ISP-1 fails then from the outside to access a specific Server on the inside, you need to reach to 50.x.x.x/27. For this you need to have a static NAT and also a route with a higher Admin Distance. You may refer to a similar query in this link

HTH

Syed

Hi Syed,

Dean Romanelli — Tue, 02 Feb 2016 20:24:13 GMT

Hi Syed,

Thanks for replying. I should have mentioned that I do have IP SLA configured already.

The problem I am having is how to configure the inside server to been seen on the outside as either 12.x.x.x/27 or 50.x.x.x/27. Right now I have:

object network corpmobile.domain.com
host 192.168.0.17

object network corpmobile.domain.com-public
host 12.x.xxx.17

object network corpmobile.domain.com
nat (inside,outside) static corpmobile.domain.com-public

But if ISP 1 goes down (12.x.x.x/27), then currently, none of my NATs are going to work because those NATs are only accessible when ISP 1 is up, since they are on public addresses on ISP 1's space. So how can I configure the ASA so that my inside IP address can be mapped to two outside addresses; 1 on 12.x.x.x and 1 on 50.x.x.x?

Hi Dean,

Syed Taukir — Wed, 03 Feb 2016 13:23:02 GMT

Hi Dean,

You can create another object network with the same host.

=>From the link Configuring object NAT, it states the following

"You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules for an object, you need to create multiple objects with different names that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on. "

=>You already have the object "corpmobile.domain.com" with host 192.168.0.17. You can still create another object with the same host.

object network corpmobile.domain.com.isp2
host 192.168.0.17

nat(inside,outside) static 50.x.x.x

=>If ISP-1 fails then you should access the server on 50.x.x.x and a connection will be established as the ASA would have it's default route via ISP-2.

=>If you want, you can also access the Server via ISP-1 and ISP-2 at the same time by having 2 default routes via ISP-1 and ISP-2 and one of them having a higher Admin Distance.

HTH

Syed Taukir

Thanks Syed. So just to

Dean Romanelli — Thu, 04 Feb 2016 19:27:02 GMT

Thanks Syed. So just to confirm. I can do the following:

object network corpmobile.domain.com-isp1
host 192.168.0.17

object network corpmobile.domain.com-public-isp1
host 12.x.xxx.17

object network corpmobile.domain.com-isp1
nat (inside,outside) static corpmobile.domain.com-public-isp1

object network corpmobile.domain.com-isp2
host 192.168.0.17

object network corpmobile.domain.com-public-isp2
host 50.x.xxx.17

object network corpmobile.domain.com-isp2
nat (inside,outside) static corpmobile.domain.com-public-isp2

And the address that will reply depends on where the default tracked route is pointing. If it is pointed out to ISP 1, it will be seen on 12.x.x.17, if it pointing out to ISP 2, it will be seen on 50.x.x.17.

Now, the only other problem is what about DNS? ISP 1 is currently the resolver for name-to-IP's. So if ISP 1 goes down, users are still going to enter the same URL, and ISP 1's DNS server is going to reply with a name resolution of that URL still belonging to a 12.x.x.x address.

Since you have IP Sla, ISP-2

Syed Taukir — Thu, 04 Feb 2016 19:39:35 GMT

Since you have IP Sla, ISP-2 would kick in once ISP-1 goes down and all new requests would resolve to the DNS reply received over ISP-2 (50.x.x.x).

HTH

Syed

Ok, so basically I need to

Dean Romanelli — Thu, 04 Feb 2016 20:59:36 GMT

Ok, so basically I need to have both ISP's create outside DNS entires for each of my inside servers that are getting NATed, and the DNS resolution that will reply to outside internet requests will be dependent on which route is active via the IP SLA right?

No dynamic DNS or fat piping in the cloud would be needed?

Re: Since you have IP Sla, ISP-2

collinks2 — Tue, 30 Oct 2018 06:31:52 GMT

Hello Syed and Dean,I know this is an old post.I have a similar case .i know how to set up ip sla for dual isps.My question centers on the 'Dns resolution '
I have a public domain 'lab.com' from a domain provider.i have this subdomain 'call.lab.com ' which resolves to this public ip address 1.1.1.1/27. The host server is sitting on the edge with that public ip add. Cisco router or firewall is not playing any role to minimize nat issues.
If i have another isp2 2.2.2.2/27,is there anyway i can make the call.lab.com resolves to 1.1.1.1 or 2.2.2.2 in case one of the isps fails.
In the dns record of the domain provider,can i point call.lab.com to two different public ip address.