topic ASA with dual ISP and two public ranges in Network Security

ASA with dual ISP and two public ranges

Ricardo Duarte — Tue, 12 Mar 2019 00:31:03 GMT

Hi there,

I have one ASA connecting to two ISP. Each provides me a public ip range.
I want to publish some servers on ip1 from isp1, and some others on ip2 from isp 2. Im using snat. Each ISP does reverse path checks, so I cant have assymetric routing.
I can see inbound traffic will not be a problem, but what about (from the servers to the clients)?
Response traffic from ip1 should leave to default gw on isp1, and the one from ip2 should leave to default gw on isp2.
Am I able to do this it with the ASA?

Thanks

Ps.: i dont actually have this scenario today so cant try this out.

Sent from Cisco Technical Support iPad App

ASA with dual ISP and two public ranges

Muhammed Safwan — Sat, 01 Dec 2012 22:32:47 GMT

Presently it is not possible to load balance traffic between two ISP links on an ASA. The reason being, there can only be one default route configured on the ASA.

You can achieve your requirement with PBR feature but ASA will not support the PBR , you need to have router to configure PBR.

Configuration example is given on below link

https://supportforums.cisco.com/docs/DOC-13015

Regards,

Safwan

ASA with dual ISP and two public ranges

Julio Carvajal — Sat, 01 Dec 2012 23:05:13 GMT

Hello Ricardo,

As long as all the connections are innitiated on the outside interface, yes it will work....

As the ASA will see the connection being innitiated on ISP2 interface he will send the reply packet out that same interface ( even if the ISP1 is the primary)

Now if the servers innitiate the connection. I mean sends the first SYN packet, they will go out using ISP1

Regards,

Julio

ASA with dual ISP and two public ranges

RuiMeireles — Fri, 28 Jun 2013 15:39:49 GMT

jcarvaja, can you tell me how to implement that?

I have a similar situation (but I am not using ISPs, or public addresses).

I have 2 server LANs connected to the ASA, and 2 links to 2 different gateways. Default Gateway is GW1.

Users can already connect to LAN 1(using the link to GW1). I want them to be able to connect to LAN 2, using the link to GW2.

The incoming traffic arrives at the ASA from the GW2, and is sent to the LAN2.

However, the returning traffic arrives at ASA and is sent to GW1 (because GW1 is the default gateway).

I can't use static routes because users will use the same source IP addresses to connect to LAN1 and LAN2.

I can't use PBR (to define the gateway based on source IP address) because ASA doesn't support it.

Also, when I test connections to the LAN2 I can't see any connections in "show conn", perhaps they only show up only when the complete handshake is done?

I would appreciate if someone tell me if this can be accomplished, and how. Thanks.

ASA with dual ISP and two public ranges

Julio Carvajal — Sat, 29 Jun 2013 04:17:33 GMT

Can U elaborate this a littlebit more:

- A diagram

- What you trying to accomplish exactly

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

ASA with dual ISP and two public ranges

malshbou — Sat, 29 Jun 2013 06:14:29 GMT

Hi Ricardo, Rui,

I believe that acheiveing your requriments can be done only by outside PAT at one of the gateways (ISPs) so as to make all incoming traffic via one GW appear as (patted to) a single IP in the same range of the subnet between ASA and that GW, hence the return traffic (from LAN to Internet) will be routed based on a directly-connected route overriding the static route.

Hope this answers your question.

Mashal Alshboul

Re: ASA with dual ISP and two public ranges

RuiMeireles — Mon, 01 Jul 2013 13:59:47 GMT

Hi there. I solved my problem using (what I think is) Dynamic Identity NAT.

Note: My ASA is running firmware 8.2. With 8.3 and forward NAT commands would be different.

# Default route to GW1

route GW1 0.0.0.0 0.0.0.0 1

# Default route to GW2 with higher metric

route GW2 0.0.0.0 0.0.0.0 254

sysopt noproxyarp LAN2

static (LAN2,GW2) netmask

Now TCP and UDP connections that are originated by the users with destination to LAN2 will:

- arrive at ASA via link to GW2

- go to LAN2

- return to the ASA

- be forwarded to GW2, not using the default route to GW1

This is not working with ICMP, however. And connections with origin in LAN2 addresses and destination won't work either (obviously).