John,

can you post the recent thread?  I did some searching but didn't see relevant discussions.

I worked out a way to do it, but it would require me to do double NAT (NAT the source IPs as well), but then it gets more complicated than it might be worth!

Thanks,

Damon

Damon

Sorry about that ...

https://supportforums.cisco.com/thread/2109372?tstart=0

Jon

Hi Damon,

What code are you working with, is it 8.3 or higher?? I can think of a way to do it, although need to test it.

Your requirement is:

NAT rule - 67.111.140.10 -> 10.10.10.10

NAT rule - 67.222.140.10 -> 11.11.11.10

ISP 1 - static outside 67.111.140.X/24

ISP 2 - static outside 67.222.140.X/24

The servers needs to be accessed from two different ISP's

We can try this:

object network public_isp1

  host 67.111.140.10

object network private_isp1

  host 10.10.10.10

object network public_isp2

  host 67.222.140.10

object network private_isp2

host 11.11.11.10

nat (ISP1,inside) source dynamic any interface destination static public_isp1 private_isp1

nat (ISP2,inside) source dynamic any interface destination static public_isp2 private_isp2

this way traffic coming from ISP2 would return from there only.

Jon, this seems to be a bit different from the one that we were discussing yesterday, let me know I understood your requirement correctly.

Hope that helps

Varun

Varun

Not doubting it works but i'm still getting up to speed on 8.3 NAT code.

Can you explain how this NAT statement works. The source IP coming to the web server(s) can be any address so how does the above tie the source IP to the right ISP for the return traffic ?

My best guess at the moment is that you NAT the source IPs coming in from the internet to the outside interface IP of the ASA so there is a "record" of which interface the traffic came in on that can be used for the return traffic. 

One other question - is this only possible with the new NAT code ? 

Jon

Hi Jon,

The trick here is, I have dynamically patted the source addresses coming from the internet to the inside interface, so this time the return packet would have the destination of the ASA inside interface rather than the outside internet address, once it hits the ASA interafce, it has a translation for it and routes it back through the isp2 interface.

I have tested it, but for me to verify I only had Packet-tracer, but I do remember a case in whihc this was worked out pretty well, I'll just dig that case up.

Thanks,

Varun

One more thing:

What the nat means is (you need to follow the flow here):

ISP2-----------------------(ASA)--------------------inside

------------------------------------------->>

nat (ISP2,inside) source dynamic any interface destination static public_isp2 private_isp2

Traffic coming from ISP2 interface going to inside interface. Any source would be dynamically natted to inside interface, where destination is statically mapped to public_isp2 whihc needs to be untranslated to the private_isp2.

Hope that helps.

Thanks,

Varun

I found it, this works

Varun

Is it because you have one NAT statement doing both source and destination NAT and this is what tells the ASA which interface to send it back out of ?

Jon

Varun

Still not getting it

If you NAT the source IPs to the inside interface when the traffic arrives back at the ASA from the webserver then they are translated back to the original IP. But this original IP is still just an internet address and so the ASA needs to do a route lookup and as we have discussed before you can only have one default-route.

Assuming the default-route points to ISP1 how does the ASA know it should route this packet to ISP2.

The bit i am missing is what tells the ASA that this should be routed back to ISP2 because it is just another internet IP ?

I know the order of routing / NAT has changed a bit with 8.3 onwards but i still can't see how the config works.

Jon

Hi Jon,

The moment the return packet is untranslated by the ASA, it sees the xlate being made for the host tied to the ISP2 interface and punts it to the ISP2 rather than the ISP1 and that what take cares of it.

Varun

Varun

Got it now.

Have just had a quick reread of how the ASA routes packets and i had forgotten all about how the xlate table is used as well as the routing table to decide which interface to send it out of.

Thanks for the explanation. much appreciated.

Jon

Thanks Jon....Love the brainstorming sessions with you

Varun

Yes, i'm learning/remembering a lot.

I told you i made mistakes didn't i

Damon - apologies for the misleading information, looks like i need to do some rereading of the docs !!

Jon