topic one inside source address statci nat to two outside interface ad in Network Security

one inside source address statci nat to two outside interface address.

fly — Mon, 11 Mar 2019 20:59:06 GMT

HI,

i have a problem

customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address

one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address.

the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB.

but i found it is difficult implement this on ASA5580.

i want use route-map on static nat, but it will not satisfy customer's request.

is there any new method .

thank you

tom

one inside source address statci nat to two outside interface ad

varrao — Fri, 15 Jul 2011 03:21:48 GMT

Hi Fly,

I am not sure whether this is possible but still just to give it a try , can you tell me the following things:

will the same server be able to access from both ISPA and ISPB?

the server would be needed to be natted to 2 public IP's?

from which interface do you want to access the internet for internal users?

what software version are you using for ASA?

Kindly let me know the answers for thses questions.

Thanks,

Varun

one inside source address statci nat to two outside interface ad

varrao — Fri, 15 Jul 2011 03:23:38 GMT

If the customer is trying to setup a dual isp on asa, here is a doc for it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

here is another one:

https://supportforums.cisco.com/docs/DOC-13015

-Varun

one inside source address statci nat to two outside interface ad

fly — Fri, 15 Jul 2011 03:31:48 GMT

Hi Varun

Thank you!

will the same server be able to access from both ISPA and ISPB?

//yes, same server be able to access from both ISPA and ISPB, access traffic is coming from internet.

the server would be needed to be natted to 2 public IP's?

//yes static nat, the server will be visited from internet only. will never orginate traffic by itself

from which interface do you want to access the internet for internal users?

//custome want access traffic coming from ISPA will return to internet by ISBA interface,

access traffic coming from ISPB will return to internet by ISBB interface.

what software version are you using for ASA?

//i m not sure the version of software.

thank you!

Tom

one inside source address statci nat to two outside interface ad

varrao — Fri, 15 Jul 2011 06:52:51 GMT

Hi Tom,

Kindly follow this thread, and let me know if your requirement matches:

https://supportforums.cisco.com/thread/2093723?tstart=0

Thanks,

Varun

one inside source address statci nat to two outside interface ad

lichuan liu — Fri, 15 Jul 2011 09:01:02 GMT

Hi Varun

thank you!

it is not same sitiuation i have.

may i clear my problem again.

customer has one asa 5580, one inside interface, connect one inside server.

two outside interface, these two outside interface connect to internet. one connect to ISPA,one connect to ISPB.different address space.

custome config two static map ,map same inside server to ISPA and ISPB address.

the traffic is coming from internet( may be usa,europe,anywhere), customer want implement this:

when traffic is coming from ISPA, return traffic to internet will pass through ISPA interface

when traffic is coming from ISPB,return traffic to internet will pass through ISPB interface

the server in inside interface will never originate traffic when there is no traffic from outside internet.

thank you!

Tom

one inside source address statci nat to two outside interface ad

varrao — Fri, 15 Jul 2011 10:13:32 GMT

Hi Tom,

If I understand your requirement, there is no need for internet access from inside to outside, but only access from outside to inside. So based on this we can try this configuration:

Lets say you configure two interfaces ISPA and ISPB.

so for ISPA:

lets say the server IP is 2.2.2.2

access-list policy_ispa permit ip any host 2.2.2.2

nat (ISPA) 1 access-list policy_ispa

global (inside) 1 interface

static (inisde,ISPA) 2.2.2.2 10.1.1.1

for ISPB:

access-list policy_ispb permit ip any host 2.2.2.2

nat (ISPB) 2 access-list policy_ispb

global (inside) 2 interface

static (inside,ISPB) 2.2.2.2 10.1.1.1

This might help us with it, and you would definitely need a route for it:

route ISPA 0.0.0.0 0.0.0.0 1

route ISPB 0.0.0.0 0.0.0.0 100

I haven't tested any such configuration, but by logic, it should work.

Thanks,

Varun