08-04-2010 05:38 PM - edited 03-11-2019 11:21 AM
Hi everyone, first of all, I'm sorry for my english!!!
I have a Cisco ASA with 03 interfaces:
- outside (172.1.1.0/24)
- primary (1.1.1.0/24)
- backup (2.2.2.0/24)
Also, I have one primary server with its backup server located in other site. Both servers have a real IP address and a virtual IP address:
- Primary Server: (real IP: 1.1.1.254) (virtual IP: 3.3.3.254)
- Backup Server: (real IP: 2.2.2.254) (virtual IP: 3.3.3.254)
The ASA has two routes for the "virtual IP address" of the servers, like this:
route primary 3.3.3.254 255.255.255.255 1.1.1.254 1 track 123
route backup 3.3.3.254 255.255.255.255 2.2.2.254 10 (note the weight of this second route)
The track 123 monitors the real ip address of the primary server (1.1.1.254), so when this server is down, the ASA automatically
changes the route to 3.3.3.254, using 2.2.2.254 as next-hop instead 1.1.1.254. This works fine.
But, we also need to hide the IP address 3.3.3.254 to the clients that access through the outside interface. So, we use a static NAT mapping the IP 172.1.1.5 with the IP 3.3.3.254.
static (primary,outside) 172.1.1.5 3.3.3.254
static (backup,outside) 172.1.1.5 3.3.3.254
The problem is that if I do this neither of the statics work (OF COURSE, conceptually this totally makes sense to me)
I have to choose only one of both "statics", the primary or the backup interface.What I actually need is that the ASA map the global IP to the local IP through the interface where the route is active to the virtual IP address at that moment, and all this has to be automatic.
We had recently migrated from one Cisco 1811 Router to this ASA, and with the router this works just fine (sure, no INTERFACE mapping is needed for the static).
Can somebody please help me with this!!!!!!
through the interface where it knows
08-04-2010 06:12 PM
Hello,
Does your ISP's (both) have a route to 172.1.1.0 pointing to your ASA's
interfaces? Can you try it on one interface alone i.e. primary interface and
see if that works?
Regards,
NT
08-04-2010 06:34 PM
It appears that he has a single ISP but two local interfaces that one real server exists behind.
This server has two NICs behind two different interfaces on the ASA, both these NICs have IP addresses in 2 different networks, but share a third, vitrual IP address. He is trying to NAT this virtual IP address to one translated IP, but on two different internal interfaces.
As far as I can see this is not possible.
The reason being that the destination nat will disregard whatever route is in place. This can be seen if someone has a static NAT incorrectly configured. Like
static (inside,outside) 10.1.1.1 192.168.1.1
and even though the routing table may say 192.168.1.1 is actually on the DMZ, the packet is going to be pushed out the inside and you will get an error in the logs that says "no route to host".
Hopefully this will show where the flaw in the config is...
08-05-2010 07:08 AM
Hi,
There are two servers, no only one and each server is located at different places and connected to differents interfaces of the ASA.
We dont have any problem with the routes. Only the problem with this static.
As far I know too, is it not possible to do what I need with the ASA, but, I actually use version 8.0.(4) in the ASA, and I was looking if a workaround exist, considering the new 8.3 version of the ASA and all the NAT new features this version has.
I really need to solve this. Also I think is not a bad idea to have a feature that can help with this kind of things.
08-05-2010 08:55 AM
Hello,
Let us try the following:
access-list server1 permit ip 3.3.3.254 any
static (Primary,outside) 172.1.1.5 access-list Server1
access-list server2 permit ip 3.3.3.254 any
static (Backup,outside) 172.1.1.5 access-list Server2
Hope this helps.
Regards,
NT
08-05-2010 09:18 AM
Hi Nagaraja,
I would like to try your advice, but, like I said, actually we' re using 8.0.(4) version, and if needed we will update to 8.3.x
This ASA is in production, so I cannot upgrade this asa only to try this, and sadly I dont have any ASA free just to try this.
If somebody can help me trying this with 8.3.x in a lab enviroment would be great.
Regards!
08-06-2010 01:49 PM
anybody can help me trying this in a lab enviroment with asa 8.3.x?
access-list server1 permit ip 3.3.3.254 any
static (Primary,outside) 172.1.1.5 access-list Server1
access-list server2 permit ip 3.3.3.254 any
static (Backup,outside) 172.1.1.5 access-list Server2
08-07-2010 04:49 PM
Hello,
If you are using 8.3, the syntax will be different:
object network Server
host 3.3.3.254
object network Server_pub
host 172.1.1.5
nat (any,any) source static Server Server_pub
I have tested this on one of our spare firewalls with 8.3 and it does work. So, you should be able to configure it on your firewall.
Hope this helps.
Regards,
NT
08-09-2010 11:41 AM
Hi Nagaraja,
I will try this... I will let you know if it works or not as soon I can.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide