08-06-2015 10:29 AM - edited 03-11-2019 11:23 PM
Hello Everyone,
I have a scenario here and i need to share it with you to a better solution to the client.
I have an ASA with two ISP-outside interfaces, and one inside interface.
ASA
INSIDE - INSIDE NETWORK
OUTSIDE1 - ISP1 - IP RANGE 1
OUTSIDE2 - ISP2 - IP RANGE 2
Currently we are using just the ISP1 with a default route to access the internet.
We are planning to use ISP2 at the same time than ISP1.
So, what we need to do is change the NAT for OUTSIDE1 to OUTSIDE2 and put an route to specific destinations to use OUTSIDE2 to prevent assimetric routing, it works for services that we know the destination address and that we don't have external access.
For external access to the websites we'll have a problem with the assimetric routing, because the default route is allocated to ISP1, so, the packet will entry using OUTSIDE2 and will return using OUTSIDE1, for this scenario, i thought in two possibilities, please verify if it is possible and what do you think about.
Scenario 1 - We are currently running 8.3, i thought in upgrade the firewall to the last IOS to use PBR and do the routing basing on origin address and not the destionation address, in this case, we will prevent assimetric routing doing the PBR for each host that we migrade.
Scenario 2 - shut the interface of ISP1 and turn thr default route to ISP2, do the NAT using the address of ISP1 even passing the traffic over the ISP2 with other ip address, in this case, we will have an ISR above the ASA to do the PBR, if the packets arrive on ASR using the origin adress from ISP1, send the packet to ISP1, if the packets arrive on ASR using the origin adress from ISP2, send the packet to ISP2.
Is it works? The guys here tested this on a LAB environment and works, but i don't know what are the problems that it cam bring to us, like spoofing problems and more.
What you think?
Attached an image for this second scenario to a better comprehension, a paint baased topology :P.
Thank you!
Solved! Go to Solution.
08-06-2015 11:50 PM
> if i don't have a route pointed to ISP2
The ASA behaves differently then a router. Just configure one with a higher AD:
route ISP2 0.0.0.0 0.0.0.0 a.b.c.d 200
> My problem is exacly that, the clients that i can't control de source IP, and the services that i don't know the destination IP.
How do you do NAT and access control if you don't know the destination?
08-06-2015 02:32 PM
This is a very often misunderstood behavior of the ASA. For your inbound traffic, you won't get asymmetric routing.
If your default-route points to ISP1 and you access your server by an IP from ISP2, the answer-packets will also be sent out on the ISP2-interface. You don't have to configure anything for that.
08-06-2015 03:32 PM
Hi Karsten,
Actually, we have our default route points to ISP1, if the traffic come to the server that uses the ISP2, if i don't have a route pointed to ISP2 to let the packet out using ISP2, the packet will be sent using the interface of ISP1 and the traffic will be assymetric.
The syn will entry using OUTSIDE2 and the syn-ack will out using OUTSIDE1, because i don't have any route especific for that destination, for example.
There are services that we can map the destination address, but, the services that are allowed to the public, there is no way to know the ip address, they are iphones, home pc's, and all other devices that is possible.
My problem is exacly that, the clients that i can't control de source IP, and the services that i don't know the destination IP.
08-06-2015 11:50 PM
> if i don't have a route pointed to ISP2
The ASA behaves differently then a router. Just configure one with a higher AD:
route ISP2 0.0.0.0 0.0.0.0 a.b.c.d 200
> My problem is exacly that, the clients that i can't control de source IP, and the services that i don't know the destination IP.
How do you do NAT and access control if you don't know the destination?
08-07-2015 07:19 AM
The websites that are allowed to the internet has an acl like this:
any -> ip of my server > eq 80 or 443.
Some services that i know the source has a acl like this:
ip of the source -> ip of my server > eq 80 or 443.
Let's supose that i turn one of these websites to my ISP2, i will change the nat for the original object changing the (inside,isp1) to (inside,isp2) and change the DNS for resolve the name using a ISP2 ip, but, when the packet arrives via ISP2, the return will use isp1 interface because the default route is pointed to this interface, if i put an second route using another weight, even doing this the packet will be sent using isp1 because the route have a weight equal 1 that is lower than 200.
Right? Or am i wrong?
I need to return the packet to ISP2 when the packet arrives via ISP2, but , the default route is pointed to ISP1 and i can't put an static route for the source because we don't know the source, the route with weight 200 will be used only if the another route with weight 1 goes out of the routing table by some reason.
The idea is turn the traffic to ISP2 and after this, exclude the ISP1 interface, we won't have two ISP's, this is only for migration.
08-07-2015 07:32 AM
> Right? Or am i wrong?
Wrong. The ASA is not a router and doesn't behave as such. The traffic get's returned over the interface where the initial traffic is received.
08-07-2015 10:20 AM
Thanks.
But to do this, i'll need the more one default route with another weight, right?
Like you said before.
route ISP2 0.0.0.0 0.0.0.0 a.b.c.d 200
08-10-2015 07:48 AM
I tested this on a Virtual Lab environment, and did not work.
I use a subnet 192.168.99.0/24 as a INTERNET subnet.
192.168.0.0/24 as a internal network subnet.
192.168.1.0/24 as a ISP1 subnet.
192.186.2.0/24 as a ISP2 subnet.
PC1 IP = 192.168.99.100
PC2 IP = 192.168.0.100
Attached the ASA config, just the simple, just to verify the routing.
The test is try to ping PC2 via PC1 using the NAT IP of ISP1(192.168.1.100) and ISP2(192.168.2.100), just the ISP1 responds the traffic, the IP NAT of ISP2 did not work.
Obs: I put the second ASA(ASA2) just to route the traffic because i did not have the router IOS to gns3 :P
08-10-2015 08:03 AM
At least PING behaves differently in Dual-ISP scenarios then TCP. Better test it with HTTP to a web server running on your internal PC.
08-10-2015 12:14 PM
i tested again using a web server and vmware nics and it works via http! :)
Now i'm going to test using physical equipments.
I'll post the results here ASAP.
Is there any doc that says this type of "feature" on ASA? I did not find this on pdf's of ASA.
Thank you very much for your help!
08-10-2015 01:02 PM
At least it's mentioned in the config-guides "between the lines" ... ;-)
08-20-2015 08:44 AM
I have the Same issue here. We 'upgraded' from a PIX515 to a ASA5510. When upgrading we set up the 5510 with our 2nd Class C Subnet for the NAT Pool for the default clients trying to get out so we could have a more one to one NAT with many of the Clients. the 1st Class C we have is all of our Public Facing servers. I setup the 5510 and had it in Production before I moved the 1st IP and Public servers to it and when I did I had the same issue you are having. I can Hit the website with 1st Subnet IP, though when I go to the web server and go to whatismyip.com I get and Address from the 2nd Subnet.
Though it sounds like Karsten is saying that since this is an Originating Packet its using the 2nd Subnet, but if its a replying Packet it will use the 1st Subnet IP that was used to contact it.
Guess I need to bust out wireshark to test this. I am now Up to a 5525 and at 9.4 and have access to PBR, though not sure if that is the 'better' way to do it.
07-13-2016 11:13 PM
@Rafael,
Did you find any solution on this? I have the same scenario. Hoping you can share your solution (if there's any).
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide