Solved: ASA with dual ISP and two public ranges

Ricardo Duarte · ‎12-01-2012

Hi there,

I have one ASA connecting to two ISP. Each provides me a public ip range.
I want to publish some servers on ip1 from isp1, and some others on ip2 from isp 2. Im using snat. Each ISP does reverse path checks, so I cant have assymetric routing.
I can see inbound traffic will not be a problem, but what about (from the servers to the clients)?
Response traffic from ip1 should leave to default gw on isp1, and the one from ip2 should leave to default gw on isp2.
Am I able to do this it with the ASA?

Thanks

Ps.: i dont actually have this scenario today so cant try this out.

Sent from Cisco Technical Support iPad App

RuiMeireles · ‎07-01-2013

Hi there. I solved my problem using (what I think is) Dynamic Identity NAT.

Note: My ASA is running firmware 8.2. With 8.3 and forward NAT commands would be different.

# Default route to GW1

route GW1 0.0.0.0 0.0.0.0 1

# Default route to GW2 with higher metric

route GW2 0.0.0.0 0.0.0.0 254

sysopt noproxyarp LAN2

static (LAN2,GW2) netmask

Now TCP and UDP connections that are originated by the users with destination to LAN2 will:

- arrive at ASA via link to GW2

- go to LAN2

- return to the ASA

- be forwarded to GW2, not using the default route to GW1

This is not working with ICMP, however. And connections with origin in LAN2 addresses and destination won't work either (obviously).

View solution in original post

Muhammed Safwan · ‎12-01-2012

Presently it is not possible to load balance traffic between two ISP links on an ASA. The reason being, there can only be one default route configured on the ASA.

You can achieve your requirement with PBR feature but ASA will not support the PBR , you need to have router to configure PBR.

Configuration example is given on below link

https://supportforums.cisco.com/docs/DOC-13015

Regards,

Safwan

Julio Carvajal · ‎12-01-2012

Hello Ricardo,

As long as all the connections are innitiated on the outside interface, yes it will work....

As the ASA will see the connection being innitiated on ISP2 interface he will send the reply packet out that same interface ( even if the ISP1 is the primary)

Now if the servers innitiate the connection. I mean sends the first SYN packet, they will go out using ISP1

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

RuiMeireles · ‎06-28-2013

jcarvaja, can you tell me how to implement that?

I have a similar situation (but I am not using ISPs, or public addresses).

I have 2 server LANs connected to the ASA, and 2 links to 2 different gateways. Default Gateway is GW1.

Users can already connect to LAN 1(using the link to GW1). I want them to be able to connect to LAN 2, using the link to GW2.

The incoming traffic arrives at the ASA from the GW2, and is sent to the LAN2.

However, the returning traffic arrives at ASA and is sent to GW1 (because GW1 is the default gateway).

I can't use static routes because users will use the same source IP addresses to connect to LAN1 and LAN2.

I can't use PBR (to define the gateway based on source IP address) because ASA doesn't support it.

Also, when I test connections to the LAN2 I can't see any connections in "show conn", perhaps they only show up only when the complete handshake is done?

I would appreciate if someone tell me if this can be accomplished, and how. Thanks.

Julio Carvajal · ‎06-28-2013

Can U elaborate this a littlebit more:

- A diagram

- What you trying to accomplish exactly

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.