Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
1
Helpful
6
Replies

ASA-5500 with double NAT

battanc
Level 1
Level 1

‎02-25-2013 04:54 AM - edited ‎03-11-2019 06:05 PM

ASA-5510, inside, outside, and some DMZ.

Some services published with Static NAT - no problem.

Now we need to add a second outside connection, with a second provider.

Internet navigation only through the first provider (default gateway to the provider router "A").

I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.

I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).

By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.

Any idea?

Labels:
0 Helpful
6 Replies 6

lcambron
Level 3
Level 3

‎02-25-2013 10:30 AM

Hello,

You need a default route for the second ISP with a lower metric.

Example:

route primary 0.0.0.0 0.0.0.0 x.x.x.x 1

route secondary 0.0.0.0 0.0.0.0 x.x.x.x 200

I hope it helps,,

Felipe.

battanc
Level 1
Level 1
In response to lcambron

‎02-27-2013 01:48 AM

I had already thought of such a thing

And if it was so easy I did not need to ask the forum ...

Claudio

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to battanc

‎02-27-2013 02:16 AM

I think you won't be able to make responce to the outside go throug the same interface as request came in. Responce will always go through the route with lowest metric. I.e. your internal resources, wich you public to the internet will be available to outside world though two IP's, each corresponting to certain ISP, but responces to that requests will always go through the one of those.

If you had your own AS, you would be able to advertise your IP to both providers and there'll be no problem, but it's not your case.

One thing you can do is dynamically translate all requests from outside to some inside IP (outside-to-inside policy nat). For each outside interface you can assign dynamic NAT rules, wich will be translating requests to specific inside IP, corresponding to each interface. In that case, by looking at xlate talbe ASA will be able to distinguish to wich interface it should send traffic

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Andrew Phirsov

‎02-27-2013 02:36 AM

Hi,

What is the ASA software you are using?

Was your purpose to direct certain services (http/https) through the original ISP

AND

To host services on the other one?

- Jouni

0 Helpful

battanc
Level 1
Level 1
In response to Jouni Forss

‎02-27-2013 02:55 AM

Hi,

The ASA is running 8.4.4.1

The purpose for the "double" NAT is to have TWO ways for access to certain public services

Claudio

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to battanc

‎02-27-2013 04:09 AM

Hi,

I'll see if I can do some labing related to this later this evening.

Reason for this is that we never handle 2x ISPs on the ASA directly. Both ISPs are connected to the same interface and routing/traffic control is done elsewhere in the core.

Again something to test out of curiosity.

I'll let you know how it goes.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card