08-15-2011 06:36 AM - edited 03-11-2019 02:11 PM
Hi,
Background - I have a ASA which is connected with 2 internet service providers. Both providers have their respective public IP addresses configured to two different physical interfaces. I NAT the Inside zone proxy to one of the provider interface for browsing purpose.
Requirement - There should be a automatic switchover of proxy from one provider to another when the configured NAT provider fails.
Solution -
The default route configured can be switched automatically from one provider to another using IP SLA monitoring; same has been tested and it works on the ASA.
Problem - The proxy NAT should be switched automatically from one provider to another. Is there any mechanism where the proxy is configured with 2 NAT ID's (of two providers), where one is preferred and if that goes down the other ID is picked?
Regards,
Amol.
08-19-2011 04:32 AM
Hi
This is not a tested solution but I think this will work.
Step 1 : Place ISP in different security levels. ISP1 in outside with security level 100 and ISP 2 in outsuide1 with security level say 95.
Step 2 : Config IP SLA ( as already done ) for routing switchover.
Step 3: Identify address to be natted with nat (inside) 1 0.0.0.0 0.0.0.0 ( For all addresses)
Step 4: Repeat the above address with diff NAT ID nat (inside) 2 0.0.0.0 0.0.0.0 ( For all addresses)
Step 5: Create twop global pools with NAT ID 1 and 2 as
global (outside) 1
global (Outside2) 2
I have not tested the solution as I don't have access to ASA box.
But to be honest I think what will happen is traffic will match NAT ID 1 and ASA will perform required NATting and sent to ISP 2 interface (As bcoz of IP SLA default route now points to ISP 2. ISP 2 might not transmit the traffic bcoz source address in packet will be of ISP1. And also in case if it transmits ISP 2 will not get any answer in return because remote host will send reply to source address of packet which is ISP 1. And ISP1 is down.
If you try this stuff please let me know if it worked or not.
Thanks in advance
08-19-2011 06:01 AM
Hi
After more research I found the soution for the problem you rae facing. Previous answers was full of crap and type mistakes. Security level for outside interface as 100 and 95. My bad.
Here's the solution.
interface Ethernet0
nameif outsidePrimary
security-level 0
ip address 1.1.1.2 255.255.255.248
!
interface Ethernet1
nameif outsidebackup
!--- The interface attached to the Secondary ISP.
!--- "backup" was chosen here, but any name can be assigned.
security-level 0
ip address 2.2.2.2 255.255.255.248
!
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
!
global (outsidePrimary) 1 interface
global (outsidebackup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
!--- NAT Configuration for Outside and Backup
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
!--- Enter this command in order to track a static route.
!--- This is the static route to be installed in the routing
!--- table while the tracked object is reachable. The value after
!--- the keyword "track" is a tracking ID you specify.
route backup 0.0.0.0 0.0.0.0 2.2.2.1 254
!--- Define the backup route to use when the tracked object is unavailable.
!--- The administrative distance of the backup route must be greater than
!--- the administrative distance of the tracked route.
!--- If the primary gateway is unreachable, that route is removed
!--- and the backup route is installed in the routing table
!--- instead of the tracked route.
And then define the config for IP SLA Monitor.
Hope this helps.
Cheers
08-22-2011 07:46 AM
Hi Deepak,
Thx for responding. I am not sure if the given solution would work; actually i haven’t come across anything such specific but what i see is the firewall do accept it. Following for your perusal -
Hostname/admin# sh run global 100
global (outside) 100 21.21.14.250 netmask 255.255.255.255
global (dmz) 100 21.21.13.250 netmask 255.255.255.255
Hostname/admin#
Hostname/admin# sh run nat 100
nat (inside) 100 10.224.45.254 255.255.255.255
Hostname/admin#
Let me check on this and would let you know.
Would also like to inform you on the following config which i checked and it didn’t work; just for your information...
global (outside1) 100 interface
global (outside2) 101 interface
Hostname/admin#
Hostname/admin# sh run | i pat
access-list pat-SP1 permit ext permit ip host 10.224.45.100 any
access-list pat-SP2 permit ext permit ip host 10.224.45.100 any
Hostname/admin# sh run | i nat
nat (inside) 100 access-list pat-SP1
nat (inside) 101 access-list pat-SP2
When the above was entered the browsing was completely stopped, but when i removed one PAT access list it again started to work. The default route was anyways been taken by the IP SLA.
Thx,
Amol
08-22-2011 08:46 AM
Hi,
I am not really sure about your exact requirement but what I gather is you have ntwo ISP providers and you would want these two ISP's for redundancy, so if the first goes down the seconda takes over automatically????
Well if thats your requirement, have you configured sla monitoring on the ASA, because without it, this would not work and ASA would keep punting the packets to your DG with the least metric default route. So you need to add these commands:
sla monitor 123 type echo protocol ipIcmpEcho 10.0.0.1 interface outside num-packets 3 frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
global (outside) 1 interface global (backup) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
route backup 0.0.0.0 0.0.0.0 10.25.0.250.1 254
Without this config, the switchover wont happen automatically, the ip's in above example are just for example purpose.
You can refer to this doc for more help:
Let me know if this is what you were looking for.
Thanks,
Varun
05-12-2012 08:00 AM
Hi Deepak,
Tried the following config as mentioned by you earlier but it didnt work
global (outsidePrimary) 1 interface
global (outsidebackup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
Interesting to note if ping icmp works as expected. Means as per the required routing and its manipulation using the IP SLA necessary pat gets assigned and the ping goes fine, but somehow the connectivity is not working. No browsing, no successfull sessions. But if i remove the alternate NAT (global (outsidebackup) 1 interface) then the browsing starts.
Any idea why is this happening ???
Regards
Amol.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide