Solved: Load Balancing using Virtual IP on DMZ interface of 5520 ASA

Pratik Prajapati · ‎02-22-2012

We want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.

The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3

These IPs are going to be NATted to all inside IPs.

Lets say our outside IP is X.X.X.X

This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary.

When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.

I need configuration assistance with that.

mirober2 · ‎02-29-2012

Hi Pratik,

The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.

-Mike

View solution in original post

mirober2 · ‎02-29-2012

Hi Pratik,

The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.

-Mike