09-11-2012 03:17 AM - edited 03-11-2019 04:52 PM
I've the following question
A customer is implementing a dual uplink path to internet , a service provider will bring two separate link with two public addressing and two routers , and asked to provide a solution to manage the dual path in this way :
- internal server published to internet , now with only one public address , will have to be published against the two public addresses scope .This to provide fault tolerance of one link path .
As for example the classic mail server which now is published with 1.1.1.x will have to be published with 2.1.1.1 AND 3.1.1.1
- Outgoing traffic will have to be routed by protocol , in normal situation , using one link for some traffic and the other for some different traffic
- Failover . If an uplink should go down all the traffic should be routed to the survived link
I wonder which hw should be provide to accomplish that design
I first thought at a configuration with an ASA just behind the two uplink routers , but wonder if it can work , for source routing for example , or if we need another router between the asa and the two service provider's routers
In this case which model can do the work
Is there any example of this configuration I can look for ?
Thanks
Stefano Colombo
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
09-13-2012 12:31 AM
Hi,
Here's another document which can give you some idea about the topology that you can go for:
https://supportforums.cisco.com/docs/DOC-15622
The router can be any router which supports PBR, and yes you can create static nats for your servers behind the ASA on the firewall itself.
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-11-2012 04:49 AM
Hi Stefano,
Unfortunately ASA cannot do traffic load balancing, which means your point 1 is not possible, although failover for your ISP can be easily configured on the ASA, you can follow this doc for it:
For you load balancing requirement, you can go for, PBR on the router, this definitely is a more suitable option, here's a good link to understand it:
https://supportforums.cisco.com/docs/DOC-8313
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-12-2012 05:09 PM
Hi ,
thanks for the link you provided , it's very useful
I have a question
Given the configuration in the example , how can I add an asa behind the PBR router ?
I mean , I need to create some static NAT for publishing some servers ( ie mail servers ) on the two ISP at the same time
Which router would be right to the job ?
thanks
Sent from Cisco Technical Support iPad App
09-13-2012 12:31 AM
Hi,
Here's another document which can give you some idea about the topology that you can go for:
https://supportforums.cisco.com/docs/DOC-15622
The router can be any router which supports PBR, and yes you can create static nats for your servers behind the ASA on the firewall itself.
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-14-2012 04:03 AM
Hello Varun ,
thanks for the links .
I looked at them and found that if we do not need PBR but simply redundancy we can even use an asa , is that correct ?
If we decide to go for a router between the asa and ISPs routers ( to use pbr ) would a 1921 be right for the job , which IOS feature do we need ?
Thanks
As per the static NAT
can you help me with providing examples on how to create on the router a static nat for external IP on the separate ISP to the same internal IP , which then would be NATTED again by the asa to the internal server ?
thanks
09-14-2012 04:57 AM
Hi,
If just redundancy is your requirement then the ASA can do it very well, you would not need a router at all. 1921 router should be fine.
You can create the static nat on the router, here's a simplified example for it:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml
And once the traffic is natted on the router, you can do a nat-bypass on the ASA, to just let the packets pass through without doing any nat, here's an example for it:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide