Showing results for 
Search instead for 
Did you mean: 


Multiple web servers behind ASAv in Azure?

Does anyone have experience with this? A tech from Cisco explained it to me this way


Internet ---> Azure public IP load balancer (LB) ---> LB NAT ---> Cisco ASAv ---> Cisco ASAv NAT ---> web servers x, y, z

Say we have and web servers, would we need to create a load balancer for each web server to allow traffic to come in on a separate public IP? What I'm not sure is how to differentiate/tag traffic after it's NAT'd by the LB(s).


Did you find a solution to this? I have static NAT working perfectly on each device if you go directly to the websites through the Static NAT Public IP behind the load balancer, but cannot get to the websites through the Load Balancer. The load balancer works fine for anything NATed to the management address of the ASAvs, but I can't seem to route traffic for the additional IPs that have Static NAT applied in spite of creating a separate backend pool for the new addresses. I followed this for adding the additional public IPs to the management NIC:


Static NAT also works fine in a single instance scenario


Hi, we decided to go without implementing an ASAv at least for web servers. We decided to use Azure's built in Application gateway/load balancer. They also just previewed a stateful firewall (for outbound connections only, I think, at the moment). Sorry I couldn't help. Good luck!


Hi, Thanks for getting back to me. From your explanation from the Cisco tech it looks like they are suggesting using NAT rules on the load balancer rather than load balanced rules which seems to defeat the object of using HA. I am glad you found a solution that works for you. I will persevere for now, and have a few other avenues to explore.  


I have found a workaround. It should be noted that Static NAT for multiple web servers works fine on the single instance ASAv in Azure using the following guide to add the additional IP configurations for the IPs of each of the internal web servers using the method in this video below. Create your static NAT rules as normal and then create the additional IP configurations against the management/outside interface in Azure to correspond to the ASAv addresses with a public IP attached.


In an HA configuration it does not appear to be possible to create load balanced rules with health probes on the Azure Load Balancer against secondary IP configurations on the management/outside interface, even if you create an additional backend pool on the load balancer for the secondary IP configurations. This is stated in the Cisco documentation here:


  • ASAv HA (single context mode)

Note: If your deployment uses an Azure Load Balancer, health probes are not supported on secondary IP addresses assigned on ASAv NICs.


As a workaround I first decided to add new Frontend IP addresses on the Azure Load Balancer for each of my web servers. I then created NAT rules on each of the ASAvs in the HA pair to translate the web port on each web server to a different port which could be presented on the outside/management interface of the ASAv using the following commands:


Create the NAT rule for each web server:


object network internal-web-server

host internal_IP_of_web_server

nat (inside,management) static interface service tcp www 6480


Then allow traffic into the web port of your web server on the inbound access list which is bound to the management/outside interface:


access-list management-inbound extended permit tcp any object internal-web-server eq www


Next modify the ASAv NSG (Network Security Group) in Azure to allow tcp traffic through to the ASAvs on port 6480.


Finally create a load balanced rule on one of the newly created Frontend IP addresses in the Azure Load Balancer which points to the backend pool of the two ASAvs, which translates anything that comes in to the load balancer front end IP for this server from port 80 to port 6480. The traffic flow is  as follows:


===> Port 80 on LB Frontend IP ===> Port 6480 on LB Backend ASAvs ===> Port 80 on Web Server


Because this configuration allows you to use health probes on the management interfaces of the 2 ASAvs, the rule will failover to the backup ASAv in the event of the primary ASAv failing. You can create different NAT rules and load balancer rules for each website that you have behind the HA pair of ASAvs. Use a different translated port on the ASAvs and load balancer rules for each web server you have behind the firewall. Config wise this is also simpler than static NAT rules as the configuration is the same on each ASAv for each web server.

Content for Community-Ad