https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017740#M399531 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If just redundancy is your requirement then the ASA can do it very well, you would not need a router at all. 1921 router should be fine.</P><P></P><P>You can create the static nat on the router, here's a simplified example for it:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml</A></P><P></P><P>And once the traffic is natted on the router, you can do a nat-bypass on the ASA, to just let the packets pass through without doing any nat, here's an example for it:</P><P></P><P><A class="active_link" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html</A></P><P></P><P>Hope this helps.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Fri, 14 Sep 2012 11:57:09 GMT varrao 2012-09-14T11:57:09Z https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017735#M399526 <P>I've the following question</P><P>A customer is implementing a dual uplink path to internet , a service provider will bring two separate link with two public addressing and two routers , and asked to provide a solution to manage the dual path in this way :</P><P>- internal server published to internet , now with only one public address , will have to be published against the two public addresses scope .This to provide fault tolerance of one link path .</P><P> As for example the classic mail server which now is published with 1.1.1.x will have to be published with 2.1.1.1 AND 3.1.1.1 </P><P>- Outgoing traffic will have to be routed by protocol , in normal situation , using one link for some traffic and the other for some different traffic</P><P>- Failover . If an uplink should go down all the traffic should be routed to the survived link</P><P></P><P>I wonder which hw should be provide to accomplish that design</P><P>I first thought at a configuration with an ASA just behind the two uplink routers , but wonder if it can work , for source routing for example , or if we need another router between the asa and the two service provider's routers</P><P>In this case which model can do the work </P><P></P><P>Is there any example of this configuration I can look for ?</P><P>Thanks</P><P>Stefano Colombo</P><P></P><P>Sent from Cisco Technical Support iPad App</P> Mon, 11 Mar 2019 23:52:28 GMT https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017735#M399526 s_colombo 2019-03-11T23:52:28Z https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017736#M399527 <HTML><HEAD></HEAD><BODY><P>Hi Stefano,</P><P></P><P>Unfortunately ASA cannot do traffic load balancing, which means your point 1 is not possible, although failover for your ISP can be easily configured on the ASA, you can follow this doc for it:</P><P></P><P><A class="active_link" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml</A></P><P></P><P>For you load balancing requirement, you can go for, PBR on the router, this definitely is a more suitable option, here's a good link to understand it:</P><P></P><P><A _jive_internal="true" class="active_link" href="https://community.cisco.com/docs/DOC-8313">https://supportforums.cisco.com/docs/DOC-8313</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Tue, 11 Sep 2012 11:49:24 GMT https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017736#M399527 varrao 2012-09-11T11:49:24Z https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017737#M399528 <HTML><HEAD></HEAD><BODY><P>Hi ,</P><P>thanks for the link you provided , it's very useful</P><P>I have a question</P><P>Given the configuration in the example , how can I add an asa behind the PBR router ?</P><P>I mean , I need to create some static NAT for publishing some servers ( ie mail servers ) on the two ISP at the same time </P><P></P><P>Which router would be right to the job ?</P><P>thanks</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 13 Sep 2012 00:09:46 GMT https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017737#M399528 s_colombo 2012-09-13T00:09:46Z https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017738#M399529 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Here's another document which can give you some idea about the topology that you can go for:</P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-15622">https://supportforums.cisco.com/docs/DOC-15622</A></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/6/4/6/11646-Dual%20ISP%20Loadbalancing2.png" class="jive-image" /></P><P></P><P></P><P>The router can be any router which supports PBR, and yes you can create static nats for your servers behind the ASA on the firewall itself.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks, </P><P>Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Thu, 13 Sep 2012 07:31:14 GMT https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017738#M399529 varrao 2012-09-13T07:31:14Z https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017739#M399530 <HTML><HEAD></HEAD><BODY><P> Hello Varun ,</P><P>thanks for the links .</P><P>I looked at them and found that if we do not need PBR but simply redundancy we can even use an asa , is that correct ?</P><P>If we decide to go for a router between the asa and ISPs routers ( to use pbr ) would a 1921 be right for the job , which IOS feature do we need ?</P><P>Thanks</P><P></P><P>As per the static NAT </P><P>can you help me with providing examples on how to create on the router a static nat for external IP on the separate ISP to the same internal IP , which then would be NATTED again by the asa to the internal server ?</P><P>thanks</P></BODY></HTML> Fri, 14 Sep 2012 11:03:26 GMT https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017739#M399530 s_colombo 2012-09-14T11:03:26Z https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017740#M399531 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If just redundancy is your requirement then the ASA can do it very well, you would not need a router at all. 1921 router should be fine.</P><P></P><P>You can create the static nat on the router, here's a simplified example for it:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml</A></P><P></P><P>And once the traffic is natted on the router, you can do a nat-bypass on the ASA, to just let the packets pass through without doing any nat, here's an example for it:</P><P></P><P><A class="active_link" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html</A></P><P></P><P>Hope this helps.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Fri, 14 Sep 2012 11:57:09 GMT https://community.cisco.com/t5/network-security/multiple-uplink-path-with-asa/m-p/2017740#M399531 varrao 2012-09-14T11:57:09Z