cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1366
Views
0
Helpful
5
Replies

shared public IP with same tcp port (round robin/load balance)

yann.boulet
Level 1
Level 1

Hi all,

I want to know if I can do that with my ASA5515-X, I have two servers that can do the same thing, there are SSO servers, What I want to do is to publish the 2 servers on Internet with the same public IP address and on TCP 443.

Is it supported ? will it works like load balancing per sessions ?

or do I need to add an HLB between ASA and my SSO servers ?

Thanks

5 Replies 5

sokakkar
Cisco Employee
Cisco Employee

Hi Yann,

You can configure the ASA to allow traffic to your SSO server from outside on two public IP's. Users can hit either of the IP to reach the inside server. Now, load balancing would be achieved based on source devices sending request to public IP's. If source machine son internet use one public IP more to access the server, ASA can't do anything to load balance in such scenario. Here is how you can accomplish this:

Assuming SSO server on inside is 192.168.16.110 and two public IP's are 192.168.17.110 and 192.168.17.111

object network SSO_1

host 192.168.17.110

object network SSO_2

host 192.168.17.111

object network SSO

host 192.168.16.110

object service https

service tcp source eq https

nat (inside,outside) source static SSO SSO_1 service https https

nat (inside,outside) source static SSO SSO_2 service https https

Hostname(config)# sh xl

2 in use, 6 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.110 443-443

    flags sr idle 0:00:06 timeout 0:00:00

TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.111 443-443

    flags sr idle 0:00:08 timeout 0:00:00

Verification:

Hostname(config)#    packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.110 443

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_1 service https https

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.17.110/443 to 192.168.16.110/443

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside in interface outside

access-list outside extended permit ip any any

Additional Information:

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_1 service https https

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3670, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hostname(config)#    packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.111 443

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_2 service https https

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.17.111/443 to 192.168.16.110/443

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside in interface outside

access-list outside extended permit ip any any

Additional Information:

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SSO SSO_1 service https https

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3671, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

-

Sourav

thanks sourav,

but in your scenario I can only use one of my 2 internal SSO servers ?

thx

Yann

Hi Yann,

My bad! I misunderstood your question. I provided config for one server on inside and allow connections to it from internet using two mapped IP's. Now, in your case we will need the ASA to load balance the incoming requests on a public IP to two internal servers on TCP 443. Which I am afraid to tell but can't be accomplished on ASA.

ASA will need to have two mapped IP's in this case. However, you can put some load balancing device in b/w for which we can have a one to one static or port forward on TCP 443 and that can load balance the request received on its IP to two inside servers.

-

Sourav

thanks sourav for your time.

it means that I need HLB..

yann

Yes, that is correct.

-

Sourav

Please rate the helpful posts, ask question if you need any further help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card