10-11-2010 12:42 PM - edited 03-11-2019 11:52 AM
We have an ASA5505 with the Sec+ license. I'm comfortable setting up failover using tracked routes, and allowing simple inbound traffic to the current mapped interface IP. This requires that all internal destination IPs be PATed to the current interface address (as per the bolded global statement below). Our requirements are expanding and we would like to start using one-to-one NAT for our servers. We have a /29 block on our primary link, but only have a /30 on the backup link.
Here's an example of what we have now. This allows HTTP traffic to reach the internal IP of 192.168.1.10, regardless of whether the primary or backup link is active.
interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 1.1.1.1 255.255.255.248 ! interface Vlan3 nameif outside-backup security-level 0 ip address 2.2.2.1 255.255.255.252
global (outside) 1 interface
global (outside-backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255
access-list acl_out extended permit tcp any interface eq www
access-group acl_out in interface outside access-group acl_out in interface outside-backup
We'd like to break out the existing PAT setup to one-to-one NAT; something like:
static (inside,outside) 2.2.2.2 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 2.2.2.3 192.168.1.11 netmask 255.255.255.255
When the primary interface goes down, both internal hosts should remain accessible from the outside on the backup link. I may be able to upgrade the backup link to a /29 as well, if that's what's needed here. Is this a pipe dream, or possible? If I can do it, what would the configuration look like? And finally, am I making any sense at all?
10-11-2010 02:05 PM
Nathan
Mate - I *think* that you might be able to do this in 8.3, some of the Experts here might be able to help you solve it, but I think that is the puppy you need...
10-11-2010 02:13 PM
You can do what you want Nathan.
If you have 2 servers you will need extra ips for the isp link (let's assume its name is outside2) though. Let's say you had them and they were 3.3.3.2 and 3.3.3.3. Then you would just need
static (inside,outside) 2.2.2.2 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 2.2.2.3 192.168.1.11 netmask 255.255.255.255
static (inside,outside2) 3.3.3.2 192.168.1.10 netmask 255.255.255.255
static (inside,outside2) 3.3.3.3 192.168.1.11 netmask 255.255.255.255
I hope it helps.
PK
10-11-2010 02:23 PM
Is there any way to do this just using a single outside address (for both interfaces),
eg, 2.2.2.2 is the publicly routable address that translates to 192.168.1.10 on the inside.
I can't see how this would work without having 2 seperate IPs. And having 2 IPs for your web server is a bit pants.
cheers
10-12-2010 05:21 AM
Could we fall back to PAT in that case?
global (outside2) 1 interface
static (inside,outside2) tcp interface www 192.168.1.10 www netmask 255.255.255.255
static (inside,outside2) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255
10-12-2010 06:30 AM
Could we fall back to PAT in that case?
global (outside2) 1 interface
static (inside,outside2) tcp interface www 192.168.1.10 www netmask 255.255.255.255
static (inside,outside2) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255
Yes you could. When the ISP2 is up the statics hold for the 2 server and the global is for the rest behind the inside.
I hope it helps.
PK
10-12-2010 06:33 AM
Is there any way to do this just using a single outside address (for both interfaces),
eg, 2.2.2.2 is the publicly routable address that translates to 192.168.1.10 on the inside.
I can't see how this would work without having 2 seperate IPs. And having 2 IPs for your web server is a bit pants.
cheers
You are right, you will need 2 ip addresses per ISP to translate your servers. And then of course you can still use the outside ip address of the ASA.
So someone would need 3 available ip addresses per ISP, that is why /29 is the mask someone would need from them.
PK
10-12-2010 06:52 AM
Thanks all. I hope to make the changes later today and will post back with the results.
10-12-2010 12:14 PM
Thanks PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide