topic Two isp's on the Cisco ASA and DMZ server access through internet in Network Security

Two isp's on the Cisco ASA and DMZ server access through internet

Mohammad Anowar Hossain Mazumder — Tue, 12 Mar 2019 01:11:53 GMT

Dear all,

I am looking your support on below configuration, please provide me correct solution. Actually we have two internet connections one is existing another one is new, but the new link will be main(active) while the old one will be standby (backup).

In the dmz zone we have one application server, for the DMZ need be configuration on firewall and need full access from outside through internet. For more information please see the attached Network Design.

Two isp's on the Cisco ASA for redundancy:
========================================
* For the new internet link it is a new public IP which should be connected to the FW.
The old and new links should be there in the Firewall but the new link will be main(active) while the old one will be standby (backup).
!
Interface eth0
nameif outside (primary isp link-NEW)
security-level 0
ip address X.X.X.2 255.255.255.252
!
interface eth1
nameif backup (this is another isp link-OLD)
security-level 0
ip address X.X.X.2 255.255.255.252
!
interface eth2
nameif inside
security-ledress 100
ip address X.X.X.249 255.255.252.0
!
* For the DMZ need a configuration for DMZ server for Application access from outside through internet
!
interface eth3
nameif DMZ
security-ledress 50
ip address X.X.X.200 255.255.255.0
!
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 X.X.X.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 X.X.X.1 1 track 1
!
route backup 0.0.0.0 0.0.0.0 X.X.X.1 254
!
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10

(configure a new monitoring process with id 123, specify the monitoring
protocol & the target network object whose availability the tracking
process monitors. )
!
sla monitor schedule 123 life fireever start-time now
!
track 1 rtr 123 reachability

Two isp's on the Cisco ASA and DMZ server access through interne

jocamare — Sun, 10 Mar 2013 00:19:21 GMT

Basically you are adding a new ISP and want to use the DMZ server using the new link.

I would recommend you to configure a similar nat configuration to the one you had for the old ISP, this time just using an IP address in the new range.

Is the configuration you posted the complete configuration? i don´t see any configuration that will let you access a DMZ server from the outside.

Two isp's on the Cisco ASA and DMZ server access through interne

Mohammad Anowar Hossain Mazumder — Sun, 10 Mar 2013 19:55:14 GMT

Thanks for support @ jocamare, actually i am trying to do.... kindly help me on this post any advice how to do....

Two isp's on the Cisco ASA and DMZ server access through interne

jocamare — Sun, 10 Mar 2013 20:47:40 GMT

I'd love to help, but the configuration is not complete and i'm still unsure about the IP addressing scheme you want to use.

Clarify this for me and then i'll provide you with the configuration you need to apply.