cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
5
Helpful
4
Replies

ASA with two ISP

Zhixin
Level 1
Level 1

I have a ASA connect two ISP. I will nat the server's IP with two ISP Address in ASA. I want to achieve,Client which from ISP1 will come back to ISP1,Client which from ISP2 will come back to ISP2?

Does this has a solution?

-----------ASA CONFIG---------

--ASA5520 ios9.17--

object network obj-server

 host 192.168.1.1
 nat (inside,isp1) static x.x.x.x  service tcp 80 80
object network obj-server

 host 192.168.1.1
 nat (inside,isp2) static x.x.x.x  service tcp 80 80

 

1 Accepted Solution

Accepted Solutions

Hi @Zhixin,

As always @Marvin Rhoads is right, but I will try to try to add more details for why it would not work on the asa.

In case of tcp traffic I would say that it uses conn and routing.
So lets say we have a setup with 2 ISPs, nat config is in place, a default route to the primary ISP and default route with higher AD to the secondary ISP.
If tcp traffic comes in the secondary isp interface the nat will change the destination ip to the server ip and forward the packet.
The server should send a respond back to the asa, but at this stage the asa will drop the packet with error reason no valid adjacency.
As far as I understand this is caused by the routing table indicating a different interface then the conn.

In case of connection-less protocols or bypassing the connection verification for tcp, if the traffic comes in the secondary isp, the response will be sent out the primary isp interface.
Because it will be nated into a different IP I doubt the connection will actually work, but traffic will not be dropped.

For options to load balance 2 isps on asa refer to the the following document (it is pretty old and the nat config is pre-8.3, but the explanations and options are still accurate)
https://supportforums.cisco.com/t5/security-documents/loadbalancing-dual-isp-on-asa/ta-p/3127108

View solution in original post

4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

The nat config is ok, but the problem with this type of setup is the routing. The asa likes to see the traffic coming and going out the same interface. For instance if you were to use isp1 as primary and isp2 as backup, you could only use the isp1 public ip to reach the server.

You could of course have some sort of load balancing, but you have to make sure the packets coming into a interface will be routed out the same interface by the asa.

You could also rewrite this behavior by using tcp state bypass, but this will greatly decrease the security features the asa can offer.

 

HTH

Bogdan

Hi Bogdan

Thanks for your response.

The asa is stateful firewall.When traffic come from ISP1,the asa will have a conn in the conn table. When the this traffic back,  the asa is check and forward by conn or by conn and route ?

 

 

The return traffic is only allowed if there is a connection allowing it. Routing is not checked in tht step of the logic.

 

What you're asking is not practical with an ASA. The only way it would work is with state bypass (basically breaks the firewall function) as @Bogdan Nita mentioned.

 

Policy based routing (requires newer software than what you have) would not really work because you don't know the address of the remote clients - only the last hop of route via which their traffic arrives.

Hi @Zhixin,

As always @Marvin Rhoads is right, but I will try to try to add more details for why it would not work on the asa.

In case of tcp traffic I would say that it uses conn and routing.
So lets say we have a setup with 2 ISPs, nat config is in place, a default route to the primary ISP and default route with higher AD to the secondary ISP.
If tcp traffic comes in the secondary isp interface the nat will change the destination ip to the server ip and forward the packet.
The server should send a respond back to the asa, but at this stage the asa will drop the packet with error reason no valid adjacency.
As far as I understand this is caused by the routing table indicating a different interface then the conn.

In case of connection-less protocols or bypassing the connection verification for tcp, if the traffic comes in the secondary isp, the response will be sent out the primary isp interface.
Because it will be nated into a different IP I doubt the connection will actually work, but traffic will not be dropped.

For options to load balance 2 isps on asa refer to the the following document (it is pretty old and the nat config is pre-8.3, but the explanations and options are still accurate)
https://supportforums.cisco.com/t5/security-documents/loadbalancing-dual-isp-on-asa/ta-p/3127108

Review Cisco Networking for a $25 gift card