Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1900
Views
5
Helpful
16
Replies

Multiple ISP Routes With ASA 5585

lovedam
Level 1
Level 1

‎10-12-2011 09:25 AM - edited ‎03-11-2019 02:36 PM

We have a 5585 failover pair we are installing that will have access to two ISP links.  Each link will have a set of static outside IPs routed to it from the Internet.  I will have traffic coming in from both ISPs at the same time and I need to un-nat and route the return traffic back out the interface it came in on.

for example:

ISP 1 - static outside 67.111.140.X/24

ISP 2 - static outside 67.222.140.X/24

Let's take the example of two web servers that we will be hosting.

NAT rule - 67.111.140.10 -> 10.10.10.10

NAT rule - 67.222.140.10 -> 11.11.11.10

I don't see a problem getting traffic in from the Internet and routed to the correct distribution switch, but how do I get the ASA to send the NAT-ed traffic back out to the correct ISP interface?  A default route won't work in this case...  I know PBR is not available on the ASA platform, which would have been my first choice.

Thanks,

Damon

Labels:
0 Helpful
16 Replies 16

Jon Marshall
Hall of Fame
Hall of Fame

‎10-12-2011 12:14 PM

Damon

You may want to read this very recent thread which deals with a similiar problem. Basically without a 2nd inside interface + a different subnet internally it's not really possible on an ASA.

However a further possibility for you may be to run 2 contexts on your ASA pair and each context would then have it's own routing table with it's own default-route. So you would then just need to ensure your internal servers were then routed to the correct context interface.

Jon

0 Helpful

lovedam
Level 1
Level 1
In response to Jon Marshall

‎10-12-2011 01:19 PM

John,

can you post the recent thread?  I did some searching but didn't see relevant discussions.

I worked out a way to do it, but it would require me to do double NAT (NAT the source IPs as well), but then it gets more complicated than it might be worth!

Thanks,

Damon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to lovedam

‎10-12-2011 01:27 PM

Damon

Sorry about that ...

https://supportforums.cisco.com/thread/2109372?tstart=0

Jon

0 Helpful

varrao
Level 10
Level 10
In response to Jon Marshall

‎10-12-2011 06:07 PM

Hi Damon,

What code are you working with, is it 8.3 or higher?? I can think of a way to do it, although need to test it.

Your requirement is:

NAT rule - 67.111.140.10 -> 10.10.10.10

NAT rule - 67.222.140.10 -> 11.11.11.10

ISP 1 - static outside 67.111.140.X/24

ISP 2 - static outside 67.222.140.X/24

The servers needs to be accessed from two different ISP's

We can try this:

object network public_isp1

  host 67.111.140.10

object network private_isp1

  host 10.10.10.10

object network public_isp2

  host 67.222.140.10

object network private_isp2

host 11.11.11.10

nat (ISP1,inside) source dynamic any interface destination static public_isp1 private_isp1

nat (ISP2,inside) source dynamic any interface destination static public_isp2 private_isp2

this way traffic coming from ISP2 would return from there only.

Jon, this seems to be a bit different from the one that we were discussing yesterday, let me know I understood your requirement correctly.

Hope that helps

Varun

Thanks,
Varun Rao
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎10-13-2011 01:42 AM

Varun

Not doubting it works but i'm still getting up to speed on 8.3 NAT code.

Can you explain how this NAT statement works. The source IP coming to the web server(s) can be any address so how does the above tie the source IP to the right ISP for the return traffic ?

My best guess at the moment is that you NAT the source IPs coming in from the internet to the outside interface IP of the ASA so there is a "record" of which interface the traffic came in on that can be used for the return traffic. 

One other question - is this only possible with the new NAT code ? 

Jon

0 Helpful

varrao
Level 10
Level 10
In response to Jon Marshall

‎10-13-2011 01:57 AM

Hi Jon,

The trick here is, I have dynamically patted the source addresses coming from the internet to the inside interface, so this time the return packet would have the destination of the ASA inside interface rather than the outside internet address, once it hits the ASA interafce, it has a translation for it and routes it back through the isp2 interface.

I have tested it, but for me to verify I only had Packet-tracer, but I do remember a case in whihc this was worked out pretty well, I'll just dig that case up.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎10-13-2011 02:11 AM

One more thing:

What the nat means is (you need to follow the flow here):

ISP2-----------------------(ASA)--------------------inside

------------------------------------------->>

nat (ISP2,inside) source dynamic any interface destination static public_isp2 private_isp2

Traffic coming from ISP2 interface going to inside interface. Any source would be dynamically natted to inside interface, where destination is statically mapped to public_isp2 whihc needs to be untranslated to the private_isp2.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

varrao
Level 10
Level 10
In response to varrao

‎10-13-2011 02:24 AM

I found it, this works

Varun

Thanks,
Varun Rao
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎10-13-2011 02:35 AM

Is it because you have one NAT statement doing both source and destination NAT and this is what tells the ASA which interface to send it back out of ?

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎10-13-2011 02:32 AM

Varun

Still not getting it

If you NAT the source IPs to the inside interface when the traffic arrives back at the ASA from the webserver then they are translated back to the original IP. But this original IP is still just an internet address and so the ASA needs to do a route lookup and as we have discussed before you can only have one default-route.

Assuming the default-route points to ISP1 how does the ASA know it should route this packet to ISP2.

The bit i am missing is what tells the ASA that this should be routed back to ISP2 because it is just another internet IP ?

I know the order of routing / NAT has changed a bit with 8.3 onwards but i still can't see how the config works.

Jon

0 Helpful

varrao
Level 10
Level 10
In response to Jon Marshall

‎10-13-2011 02:53 AM

Hi Jon,

The moment the return packet is untranslated by the ASA, it sees the xlate being made for the host tied to the ISP2 interface and punts it to the ISP2 rather than the ISP1 and that what take cares of it.

Varun

Thanks,
Varun Rao

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎10-13-2011 03:01 AM

Varun

Got it now.

Have just had a quick reread of how the ASA routes packets and i had forgotten all about how the xlate table is used as well as the routing table to decide which interface to send it out of.

Thanks for the explanation. much appreciated.

Jon

0 Helpful

varrao
Level 10
Level 10
In response to Jon Marshall

‎10-13-2011 03:03 AM

Thanks Jon....Love the brainstorming sessions with you

Varun

Thanks,
Varun Rao
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎10-13-2011 07:44 AM

Yes, i'm learning/remembering a lot.

I told you i made mistakes didn't i

Damon - apologies for the misleading information, looks like i need to do some rereading of the docs !!

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card