02-25-2013 04:54 AM - edited 03-11-2019 06:05 PM
ASA-5510, inside, outside, and some DMZ.
Some services published with Static NAT - no problem.
Now we need to add a second outside connection, with a second provider.
Internet navigation only through the first provider (default gateway to the provider router "A").
I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.
I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).
By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.
Any idea?
02-25-2013 10:30 AM
Hello,
You need a default route for the second ISP with a lower metric.
Example:
route primary 0.0.0.0 0.0.0.0 x.x.x.x 1
route secondary 0.0.0.0 0.0.0.0 x.x.x.x 200
I hope it helps,,
Felipe.
02-27-2013 01:48 AM
I had already thought of such a thing
And if it was so easy I did not need to ask the forum ...
Claudio
02-27-2013 02:16 AM
I think you won't be able to make responce to the outside go throug the same interface as request came in. Responce will always go through the route with lowest metric. I.e. your internal resources, wich you public to the internet will be available to outside world though two IP's, each corresponting to certain ISP, but responces to that requests will always go through the one of those.
If you had your own AS, you would be able to advertise your IP to both providers and there'll be no problem, but it's not your case.
One thing you can do is dynamically translate all requests from outside to some inside IP (outside-to-inside policy nat). For each outside interface you can assign dynamic NAT rules, wich will be translating requests to specific inside IP, corresponding to each interface. In that case, by looking at xlate talbe ASA will be able to distinguish to wich interface it should send traffic
02-27-2013 02:36 AM
Hi,
What is the ASA software you are using?
Was your purpose to direct certain services (http/https) through the original ISP
AND
To host services on the other one?
- Jouni
02-27-2013 02:55 AM
Hi,
The ASA is running 8.4.4.1
The purpose for the "double" NAT is to have TWO ways for access to certain public services
Claudio
02-27-2013 04:09 AM
Hi,
I'll see if I can do some labing related to this later this evening.
Reason for this is that we never handle 2x ISPs on the ASA directly. Both ISPs are connected to the same interface and routing/traffic control is done elsewhere in the core.
Again something to test out of curiosity.
I'll let you know how it goes.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide