shared public IP with same tcp port (round robin/load balance)

yann.boulet · ‎05-06-2013

Hi all,

I want to know if I can do that with my ASA5515-X, I have two servers that can do the same thing, there are SSO servers, What I want to do is to publish the 2 servers on Internet with the same public IP address and on TCP 443.

Is it supported ? will it works like load balancing per sessions ?

or do I need to add an HLB between ASA and my SSO servers ?

Thanks

sokakkar · ‎05-06-2013

Hi Yann,

You can configure the ASA to allow traffic to your SSO server from outside on two public IP's. Users can hit either of the IP to reach the inside server. Now, load balancing would be achieved based on source devices sending request to public IP's. If source machine son internet use one public IP more to access the server, ASA can't do anything to load balance in such scenario. Here is how you can accomplish this:

Assuming SSO server on inside is 192.168.16.110 and two public IP's are 192.168.17.110 and 192.168.17.111

object network SSO_1

host 192.168.17.110

object network SSO_2

host 192.168.17.111

object network SSO

host 192.168.16.110

object service https

service tcp source eq https

nat (inside,outside) source static SSO SSO_1 service https https

nat (inside,outside) source static SSO SSO_2 service https https

Hostname(config)# sh xl

2 in use, 6 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.110 443-443

flags sr idle 0:00:06 timeout 0:00:00

TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.111 443-443

flags sr idle 0:00:08 timeout 0:00:00

Verification:

Hostname(config)# packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.110 443

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_1 service https https

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.17.110/443 to 192.168.16.110/443

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside in interface outside

access-list outside extended permit ip any any

Additional Information:

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_1 service https https

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3670, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hostname(config)# packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.111 443

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_2 service https https

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.17.111/443 to 192.168.16.110/443

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside in interface outside

access-list outside extended permit ip any any

Additional Information:

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_1 service https https

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3671, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

-

Sourav

yann.boulet · ‎05-07-2013

thanks sourav,

but in your scenario I can only use one of my 2 internal SSO servers ?

thx

Yann

sokakkar · ‎05-07-2013

Hi Yann,

My bad! I misunderstood your question. I provided config for one server on inside and allow connections to it from internet using two mapped IP's. Now, in your case we will need the ASA to load balance the incoming requests on a public IP to two internal servers on TCP 443. Which I am afraid to tell but can't be accomplished on ASA.

ASA will need to have two mapped IP's in this case. However, you can put some load balancing device in b/w for which we can have a one to one static or port forward on TCP 443 and that can load balance the request received on its IP to two inside servers.

-

Sourav

yann.boulet · ‎05-14-2013

thanks sourav for your time.

it means that I need HLB..

yann

sokakkar · ‎05-14-2013

Yes, that is correct.

-

Sourav

Please rate the helpful posts, ask question if you need any further help.