Hi,
I will try my best to make my setup as clear as possible so here it goes. We want to run our web services and internal network behind a transparent redundant internet access using BGP.
The material we have is the following :
2x ASA 5516-X
2x HP J9726A 2920-24G Switch with Stacking module
Our ISP
1x ASR 920
1x ME 3600X
Interconnection
One cross-connect 100Mbps from each of their router to each of our switch in the HP stack.
The WANs of the AS goes in the HP switchs using portchannel in different vlan
Each of the ISP router is running BGP with the same AS number and our ASA are configured has Active/Standby and run BGP as well with a different AS. We receive from those ISP bgp peers only default route and we advertise only one public /29.
Problem : For outgoing traffic all is fine but for ingoing traffic from internet destinate to our public /29 nothing was working before i put a route like this on our ASA : route PROD 1.1.1.1 255.255.255.248 127.0.0.1 1 where 1.1.1.1 is our public IP block. We are also nating one of this IP address to a production server with the following.
nat (WAN-VID201,PROD) source static any any destination static NAT-PROD iis service iis-plain iis-plain
nat (WAN-VID401,PROD) source static any any destination static NAT-PROD iis service iis-plain iis-plain
WAN-VID201 and WAN-VID401 is the two interface linked to each BGP peers.
UPDATE : I removed the route PROD from the RIB and configure an interface with the first IP of the public block and i think i cannot bind the VPN on that interface. I can access the server that in this range but not the vpn service that are on this interface cause when i came from the web i going trough the WAN-VID401 trying to access another asa interface.
So i wonder now what to do with the VPN
I dont feel like this setup is neat so let me know what do you think.
Regards,
Jay