Re: (Twice?) NAT on ASA 8.2 for second ISP Connection

Paul Wedde · ‎03-22-2012

Hi Guys,

I'm working on a problem at the moment where I have 2 Internet connections each with their own Interface on an ASA running 8.2(5). What I want to be able to do is host different web sites on each ISP's ranges but I'm banging my head against a wall at the moment trying to either get the routing or NATing to work in a satisfactory way.

The default route is via one of these Internet connections and obviously the website hosted on this Interface is working fine.

To get another website hosted on the other ISP or interface - traffic is getting blackholed as it is being routed in the 2nd ISP interface and then trying to be routed back out the 1st ISP interface.

I thoguht I could overcome this using Policy Based Routing but ASA does not support this. I'm also aware that I can overcome this problem by upgrading the ASA code to 8.3 or 8.4 where the NAT will overide the Routing table

I'm vaguely thinking that there might be a way to overcome this using clever NAT but not been able to figure it out yet. A lot of other Forum posts have sugested that you can use Policy NAT (either Static or Dynamic) or a Dynamic NAT to get the second NAT working and overcome this routing problem but all of these options seem to define a specific source where I need to allow ANY Source on either connection. (Connections inbound to the webservers originating from anywhere on the Internet).

I toyed with the idea of Source NAT'ing traffic coming in on the 2nd ISP connection so that it would appear to originate from an IP in the same network. This would overcome the routing problem but not ideal as WebServer logs would see all connections originating from this IP as opposed to the real IP on the Internet.

My current (relevant) congfiguration looks something like this:

static (DMZ, EXTERNAL_ISP1) 192.168.1.1 10.0.0.1 netmask 255.255.255.255

static (DMZ, EXTERNAL_ISP2) 172.16.100.2 10.0.0.2 netmask 255.255.255.255

!

route EXTERNAL_ISP1 0.0.0.0 0.0.0.0 192.168.1.254 1

I would have thought that this is a fairly simple task to achieve but it seems not (at least not on ASA 8.2). I have attached a rough VSD to illustrate what I mean.

Doe's anyone know how I can get this working?

Thanks!!!

Jouni Forss · ‎03-22-2012

Hi,

Have you thought about getting a router in front of your ASA to handle the Policy Based Routing?

I mean just simply configuring the ASA with 2 different public IP addresses for the servers hosting websites and then on the router assigning the correct ISP default gateway based on the public source address of the web server?

This way you would have a single outside interface on the ASA and 2 different public network ranges router towards that outside interface of the ASA from the router.

To my understanding you can't handle this situation with the ASA alone. I'm managing a couple of customer networks that have Dual ISP and the routing is always handled with a router in front of the ASA.

Paul Wedde · ‎03-22-2012

Installation of a router is not likely. I need to be able to do this in software and relatively quickly!

If I can not get this working in 8.2, I know it works fine in 8.3 and 8.4 so the next step would be to upgrade the software (and Migrate the existing NAT config- ARGHHH!!!)..

Paul Wedde · ‎03-22-2012

OK,

turns out there was no issue with my NAT config. My problem was that there was no route defined on the 2nd ISP.

After reading this thread - https://supportforums.cisco.com/docs/DOC-6069

My config looks like this now;

static (DMZ, EXTERNAL_ISP1) 192.168.1.1 10.0.0.1 netmask 255.255.255.255

static (DMZ, EXTERNAL_ISP2) 172.16.100.2 10.0.0.2 netmask 255.255.255.255

!

route EXTERNAL_ISP1 0.0.0.0 0.0.0.0 192.168.1.254 1

route EXTERNAL_ISP2 0.0.0.0 0.0.0.0 172.16.100.254 2

And everything is peachy!

Strange that it need uses the defined gateway from the second default route (Metric 2) even though this route is not in the routing table!?