Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
0
Replies

NAT configuration Assistance on ASAv HA in Azure with Azure load Balancer

abushayeed.anwarali
Level 1
Level 1

‎09-28-2018 01:59 AM - edited ‎02-21-2020 08:17 AM

We had recently deployed ASAv HA in Azure for High Availability it will act as a perimeter device for internet access. We had deployed Azure external load balancer ahead of ASAv HA

 

Some of the application (servers) relies on STATIC NAT for outbound connections as well as inbound flow and few applications which relies on STATIC NAT Inbound connections and there wont be any traffic initiation to outside

 

As per microsoft update standard Load Balancer uses all candidates IP for outbound flows at the same time when multiple (public) IP frontends is present. we can suppress a frontend IP address from being used for outbound connections with a new load balancing rule option.

 

However seems we cannot configure Static NAT for outbound flow if we use load balancer (as like how we do it in ASA)

Refer : https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections


In order to achieve this scenario we had designed the architecture in below format:

 

For the Internet access to all the users we had configured IP address in both the ASAv Interface and mapped a public IP at the Azure portal and configured the port forwarding so in case of Active ASAv goes down the backup will take a role and provide the connectivity as we had already configured public IP in both the ASAv

 

For specific applications/servers (outbound flows) which requires dedicated public IP, we have used the secondary IP address format and mapped a separate public IP at the azure portal end. Hence both outbound and inbound flow through the secondary IP will also configure the port forwarding at the ASAv to the secondary private IP.

 

Here is the limitations in case of Active ASAv goes down we have to manually move the secondary public IP to the backup ASAv (As the Azure HA will not work just like Native HA due to cisco limitations in Azure) which will made connectivity loss to the server/application till it takes place.

 

And as per Microsoft doc inbound flows that arrive on the load balancer's frontend to the backend pool instances, according to rules and health probes.Routes are programmed through Azure Rest APIs hence the return traffic will flow via the same path


Does any one suggest on how we can over come the outbound flow limitation and do the automatic failover during failure. We are also looking for the DNS failover by using dnsmadeeasy still we are looking to overcome this situation with out DNS failover.

 

 

0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card