Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
15
Helpful
3
Replies

separate firewalls with separate ISP links

Go to solution
Madura Malwatte
Level 4
Level 4

‎04-19-2017 08:23 AM - edited ‎03-12-2019 02:14 AM

Hi All,

I am wondering if this is possible, there are two separate ASA's, with their own ISP links. Now if either of the ISP's fail, could the ASA's be configured to route through the other ASA's inside interface and to the other ISP?

example, ISP 1 fails, is it possible to configure a default route on the ASA1 to forward traffic through ASA2? I know we could track ISP1 and set an alternate route if the tracked network fails. But how would this affect ASA's NAT configuration when it's public IP is no longer available and using ASA2's inside interface as the default route next hop?

vlan 10 ------ (inside) ASA1 (outside) ------ ISP 1

 |

 |

switch

|

|

vlan 20----- (inside) ASA2 (outside) ------ ISP2

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7
In response to Madura Malwatte

‎04-20-2017 06:26 AM

Hi mmalwatte,

See there are three basic cases,

1) If there is only dynamic PAT for both Vlans (in our case vlan 10 and vlan 20) to provide only internet connectivity, then don't need to worry about it. You only need to configure dynamic PAT for both Vlan on both ASA's.

2) If you have taken subnets from both ISP's and there is static NAT (one to one NAT) configured on both ASA's, then in those case the NAT will not work for those IP's/subnet which is taken from the ISP that fail.

3) If you have taken subnets independent from ISP's (directly from IANA) and advertise by you to both ISP's, then you only need to configure same static NAT rules on both ASA's.

Please remember to marked it as answered :-)

Spooster IT Services Team

View solution in original post

3 Replies 3

Go to solution
Spooster IT Services
Level 7
Level 7

‎04-20-2017 12:41 AM

Hi mmalwatte,

Is there static NAT configured on ASA's or only PAT is configured to provide internet access to LAN subnet? 

Spooster IT Services Team

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Spooster IT Services

‎04-20-2017 05:58 AM

It's just a hypothetical. what would the solution be for both situations?

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to Madura Malwatte

‎04-20-2017 06:26 AM

Hi mmalwatte,

See there are three basic cases,

1) If there is only dynamic PAT for both Vlans (in our case vlan 10 and vlan 20) to provide only internet connectivity, then don't need to worry about it. You only need to configure dynamic PAT for both Vlan on both ASA's.

2) If you have taken subnets from both ISP's and there is static NAT (one to one NAT) configured on both ASA's, then in those case the NAT will not work for those IP's/subnet which is taken from the ISP that fail.

3) If you have taken subnets independent from ISP's (directly from IANA) and advertise by you to both ISP's, then you only need to configure same static NAT rules on both ASA's.

Please remember to marked it as answered :-)

Spooster IT Services Team
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card