Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
9
Replies

ASA5512-MB ASA5512-SEC-PL  Support and Upgrade for Load Balancing

Go to solution
Mesut Canbolat
Level 1
Level 1

‎01-13-2017 05:55 AM - edited ‎03-12-2019 01:46 AM

Dear  All ,

We wish to upgrade our  Cisco Cisco ASA 5512-X Adaptive Security Appliance

Product ID :  ASA5512-MB.

 

We would like to be sure  that : After buying and activating :

ASA5512-SEC-PL  

ASA 5512-X Sec. Plus Lic. w/ HA, Sec Ctxt, more VLAN + Conns

 

Are we able to  use our ASA 5512X  as load balancing  two Isp  and

port mapping into one MailServer located inside network.

 

Two Isp Connected to ASA Outside Interfaces  and nat-port mapping into

Single mailserver connected to ASA inside interface.

 

Example :   92.45.45.45  ISP1 MX 10  ------nat  192.168.1.10

                   88.55.55.55  ISP2  MX 10 ------nat   192.168.1.10

 

Thank you in advance very much

 Best Regards,

Mesut

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Mesut Canbolat

‎01-13-2017 07:21 AM

You need NAT-statements for both interfaces:

object SRV.MAIL-NAT-OUTSIDE1
 host 192.168.1.10
 nat (inside,outside1) static 92.45.45.45
!
object SRV.MAIL-NAT-OUTSIDE2
 host 192.168.1.10
 nat (inside,outside2) static 88.55.55.55

On both interfaces the traffic needs to be allowed (could be split into two ACLs if that fits your needs):

access-list OUTSIDE-IN permit tcp any host 192.168.1.10 eq 25
!
access-group OUTSIDE.IN in interface outside1
access-group OUTSIDE.IN in interface outside2

You also need static default routes to both next hops with a higher administrative Distance on the secondary ISP. At least the first one is very likely already configured:

route outside1 0 0 NH-ISP1 1
route outside2 0 0 NH-ISP1 100

That's all!

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-13-2017 07:36 AM

No.

ASAs do not support ISP load balancing in the way I think you want with any version of software or license.

What Karsten described works fine but I understood you to be asking for a real time load balancing based on the ASA feature. The scheme he described depends on external clients calling one or the other address - not a single MX record with two entries.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Karsten Iwen
VIP
VIP

‎01-13-2017 06:41 AM

For that to work, you don't need the SEC-PLUS license. That also works with the BASE-license.

0 Helpful

Go to solution
Mesut Canbolat
Level 1
Level 1
In response to Karsten Iwen

‎01-13-2017 07:02 AM

Thanks Karsten ,

That also works with the BASE-license.

Could you please advise with a sample config  or some steps ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mesut Canbolat

‎01-13-2017 07:21 AM

You need NAT-statements for both interfaces:

object SRV.MAIL-NAT-OUTSIDE1
 host 192.168.1.10
 nat (inside,outside1) static 92.45.45.45
!
object SRV.MAIL-NAT-OUTSIDE2
 host 192.168.1.10
 nat (inside,outside2) static 88.55.55.55

On both interfaces the traffic needs to be allowed (could be split into two ACLs if that fits your needs):

access-list OUTSIDE-IN permit tcp any host 192.168.1.10 eq 25
!
access-group OUTSIDE.IN in interface outside1
access-group OUTSIDE.IN in interface outside2

You also need static default routes to both next hops with a higher administrative Distance on the secondary ISP. At least the first one is very likely already configured:

route outside1 0 0 NH-ISP1 1
route outside2 0 0 NH-ISP1 100

That's all!

0 Helpful

Go to solution
Mesut Canbolat
Level 1
Level 1

‎01-13-2017 07:31 AM

Hi Karsten ,

Many thanks for your great assist and support. I wil try your config steps and let you know about

this.

Best wishes

Mesut

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-13-2017 07:36 AM

No.

ASAs do not support ISP load balancing in the way I think you want with any version of software or license.

What Karsten described works fine but I understood you to be asking for a real time load balancing based on the ASA feature. The scheme he described depends on external clients calling one or the other address - not a single MX record with two entries.

0 Helpful

Go to solution
Mesut Canbolat
Level 1
Level 1
In response to Marvin Rhoads

‎01-13-2017 07:39 AM

Hello Marvin ,

Thanks for your input .  I am really confused between you and Karsten Iwen ?

Have ever tried and configured your ASA for load balancing senario ?

If so what was your results ?

Thanks a lot for those assisting here for my issue.

Best wishes to all :)

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Marvin Rhoads

‎01-13-2017 07:43 AM

Hi Marvin,

well, at least that was what I understood from the question with two different IPs for the two ISP. For me it seemed more like a request for ISP-availability with the wrong wording "load-balancing".

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Karsten Iwen

‎01-13-2017 07:45 AM

Hi Karsten,

Indeed - if we throw out the "load balancing" term you are 100% correct.

0 Helpful

Go to solution
Mesut Canbolat
Level 1
Level 1
In response to Karsten Iwen

‎01-13-2017 07:55 AM

Hi Karsten and Marvin ,

My need is for our mailserver  :

Able to send and receive emails from outside internet domains.  with two public ip registered

ISP1 and  ISP2 dns servers for ourdomain.com  with the same value of MX record 10 .

If the link of ISP1 fails  email relaying and sending for our domain will be able to continue from the ISP2 link.

I think what I need is much more like link redundency  refer to load balancing.

If so what could be the right config example for me ?

Please advise

Thanks

Mesut

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card