12-01-2012 01:49 PM - edited 03-11-2019 05:31 PM
Hi there,
I have one ASA connecting to two ISP. Each provides me a public ip range.
I want to publish some servers on ip1 from isp1, and some others on ip2 from isp 2. Im using snat. Each ISP does reverse path checks, so I cant have assymetric routing.
I can see inbound traffic will not be a problem, but what about (from the servers to the clients)?
Response traffic from ip1 should leave to default gw on isp1, and the one from ip2 should leave to default gw on isp2.
Am I able to do this it with the ASA?
Thanks
Ps.: i dont actually have this scenario today so cant try this out.
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
07-01-2013 06:59 AM
Hi there. I solved my problem using (what I think is) Dynamic Identity NAT.
Note: My ASA is running firmware 8.2. With 8.3 and forward NAT commands would be different.
# Default route to GW1
route GW1 0.0.0.0 0.0.0.0
# Default route to GW2 with higher metric
route GW2 0.0.0.0 0.0.0.0
sysopt noproxyarp LAN2
static (LAN2,GW2)
Now TCP and UDP connections that are originated by the users with destination to LAN2 will:
- arrive at ASA via link to GW2
- go to LAN2
- return to the ASA
- be forwarded to GW2, not using the default route to GW1
This is not working with ICMP, however. And connections with origin in LAN2 addresses and destination
12-01-2012 02:32 PM
Presently it is not possible to load balance traffic between two ISP links on an ASA. The reason being, there can only be one default route configured on the ASA.
You can achieve your requirement with PBR feature but ASA will not support the PBR , you need to have router to configure PBR.
Configuration example is given on below link
https://supportforums.cisco.com/docs/DOC-13015
Regards,
Safwan
12-01-2012 03:05 PM
Hello Ricardo,
As long as all the connections are innitiated on the outside interface, yes it will work....
As the ASA will see the connection being innitiated on ISP2 interface he will send the reply packet out that same interface ( even if the ISP1 is the primary)
Now if the servers innitiate the connection. I mean sends the first SYN packet, they will go out using ISP1
Regards,
Julio
06-28-2013 08:39 AM
jcarvaja, can you tell me how to implement that?
I have a similar situation (but I am not using ISPs, or public addresses).
I have 2 server LANs connected to the ASA, and 2 links to 2 different gateways. Default Gateway is GW1.
Users can already connect to LAN 1(using the link to GW1). I want them to be able to connect to LAN 2, using the link to GW2.
The incoming traffic arrives at the ASA from the GW2, and is sent to the LAN2.
However, the returning traffic arrives at ASA and is sent to GW1 (because GW1 is the default gateway).
I can't use static routes because users will use the same source IP addresses to connect to LAN1 and LAN2.
I can't use PBR (to define the gateway based on source IP address) because ASA doesn't support it.
Also, when I test connections to the LAN2 I can't see any connections in "show conn", perhaps they only show up only when the complete handshake is done?
I would appreciate if someone tell me if this can be accomplished, and how. Thanks.
06-28-2013 09:17 PM
Can U elaborate this a littlebit more:
- A diagram
- What you trying to accomplish exactly
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-28-2013 11:14 PM
Hi Ricardo, Rui,
I believe that acheiveing your requriments can be done only by outside PAT at one of the gateways (ISPs) so as to make all incoming traffic via one GW appear as (patted to) a single IP in the same range of the subnet between ASA and that GW, hence the return traffic (from LAN to Internet) will be routed based on a directly-connected route overriding the static route.
Hope this answers your question.
Mashal Alshboul
07-01-2013 06:59 AM
Hi there. I solved my problem using (what I think is) Dynamic Identity NAT.
Note: My ASA is running firmware 8.2. With 8.3 and forward NAT commands would be different.
# Default route to GW1
route GW1 0.0.0.0 0.0.0.0
# Default route to GW2 with higher metric
route GW2 0.0.0.0 0.0.0.0
sysopt noproxyarp LAN2
static (LAN2,GW2)
Now TCP and UDP connections that are originated by the users with destination to LAN2 will:
- arrive at ASA via link to GW2
- go to LAN2
- return to the ASA
- be forwarded to GW2, not using the default route to GW1
This is not working with ICMP, however. And connections with origin in LAN2 addresses and destination
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide