Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2290
Views
4
Helpful
5
Replies

Multiple uplink path with ASA

Go to solution
s_colombo
Level 1
Level 1

‎09-11-2012 03:17 AM - edited ‎03-11-2019 04:52 PM

I've the following question

A customer is implementing a dual uplink path to internet , a service provider will bring two separate link with two public addressing and two routers , and asked to provide a solution to manage the dual path in this way :

- internal server published to internet , now with only one public address , will have to be published against the two public addresses scope .This to provide fault tolerance of one link path .

As for example the classic mail server which now is published with 1.1.1.x will have to be published with 2.1.1.1 AND 3.1.1.1

- Outgoing traffic will have to be routed by protocol , in normal situation , using one link for some traffic and the other for some different traffic

- Failover . If an uplink should go down all the traffic should be routed to the survived link

I wonder which hw should be provide to accomplish that design

I first thought at a configuration with an ASA just behind the two uplink routers , but wonder if it can work , for source routing for example , or if we need another router between the asa and the two service provider's routers

In this case which model can do the work

Is there any example of this configuration I can look for ?

Thanks

Stefano Colombo

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to s_colombo

‎09-13-2012 12:31 AM

Hi,

Here's another document which can give you some idea about the topology that you can go for:

https://supportforums.cisco.com/docs/DOC-15622

The router can be any router which supports PBR, and yes you can create static nats for your servers behind the ASA on the firewall itself.

Hope this helps.

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

0 Helpful
5 Replies 5

Go to solution
varrao
Level 10
Level 10

‎09-11-2012 04:49 AM

Hi Stefano,

Unfortunately ASA cannot do traffic load balancing, which means your point 1 is not possible, although failover for your ISP can be easily configured on the ASA, you can follow this doc for it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

For you load balancing requirement, you can go for, PBR on the router, this definitely is a more suitable option, here's a good link to understand it:

https://supportforums.cisco.com/docs/DOC-8313

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Go to solution
s_colombo
Level 1
Level 1
In response to varrao

‎09-12-2012 05:09 PM

Hi ,

thanks for the link you provided , it's very useful

I have a question

Given the configuration in the example , how can I add an asa behind the PBR router ?

I mean , I need to create some static NAT for publishing some servers ( ie mail servers ) on the two ISP at the same time

Which router would be right to the job ?

thanks

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to s_colombo

‎09-13-2012 12:31 AM

Hi,

Here's another document which can give you some idea about the topology that you can go for:

https://supportforums.cisco.com/docs/DOC-15622

The router can be any router which supports PBR, and yes you can create static nats for your servers behind the ASA on the firewall itself.

Hope this helps.

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Go to solution
s_colombo
Level 1
Level 1
In response to varrao

‎09-14-2012 04:03 AM

Hello Varun ,

thanks for the links .

I looked at them and found that if we do not need PBR but simply redundancy we can even use an asa , is that correct ?

If we decide to go for a router between the asa and ISPs routers ( to use pbr ) would a 1921 be right for the job , which IOS feature do we need ?

Thanks

As per the static NAT

can you help me with providing examples on how to create on the router a static nat for external IP on the separate ISP to the same internal IP , which then would be NATTED again by the asa to the internal server ?

thanks

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to s_colombo

‎09-14-2012 04:57 AM

Hi,

If just redundancy is your requirement then the ASA can do it very well, you would not need a router at all. 1921 router should be fine.

You can create the static nat on the router, here's a simplified example for it:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml

And once the traffic is natted on the router, you can do a nat-bypass on the ASA, to just let the packets pass through without doing any nat, here's an example for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card