cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
0
Helpful
3
Replies

Complex routing issue

Colin Higgins
Level 2
Level 2

OK, here is issue:

I have 2 sites, and each has a connection to the Internet. Both sites have an Internet router with an ASA 5510 behind it.

Site A has a DMZ off the ASA with a public address space. Let's call it 12.220.7.192 /26

The two sites are connected internally through a MPLS network and are in defferent cities. The two ASAs are about 5 hops from each other.

Here is what I need to do:

If the Internet link in site A goes down, I want inbound traffic from the Internet to be able to reach the DMZ in that site from site B. In other words, traffic to the 12.220.7.192 network will be dynamically re-routed through site B, which is in a different city.

Now the Internet provider/carrier is the same in both sites, and we can do BGP to advertise routes.

Here is what I am unsure about

1. Can the Internet router in site B advertise the 12.220.7.192 to the ISP even though that subnet is 5 hops away, not directly connected, and is not received by that router from an internal routing protocol?

2. What would I do on the ASA in site B? Set up a static route to the 12.220.7.192 network and perform NAT on the hosts there?

any advice would be great.

1 Accepted Solution

Accepted Solutions

Colin

I was actually intending to edit this post (again !) to mention that if it is the same ISP MED is a better solution than using as-path prepending which is generally used when you have different ISPs. So yes to the MED.

2) When you say redistribute static are you running BGP between the ISP router and ASA ? Do you mean the ASA will then pass this on into your internal LAN. If not then you don't need to redistribute it because it is there simply to allow you to advertise out the 12.220.7.192 network to your ISP at site B.

3) Not sure what you mean. Do you mean PAT the servers in the DMZ ? If so you can't do this, you need to use static NATs.

Basically it is as i said in my last post -

1) you need to present these 12.220.7.x servers to the internet on site B ASA

2) if site A fails then traffic comes in via site B.  The source IPs of the traffic will be any internet address. So if you think about it, if you route the traffic to site A dmz server, when they respond they have no route back. The default-route on the the site A ASA will not be available. and you can't have a default-route in your network pointing back to site B as this would disrupt the rest of your traffic.

How do you route traffic to site A ASA in normal conditions for outbound internet access ? Do you have a default-route pointing to site A ASA inside interface ? If so you could repoint the default-route to site B ASA and then somehow make the ASA in site A aware of that route.

It is all about routing the traffic back out of your network from incoming internet connections. That is the tricky part.

So how is traffic, under normal conditions, routed to site A ASA ?

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Colin

1) Yes, the ISP doesn't care how many hops it is in your network. They just route it to your network. The problem you have is getting BGP to advertise it. If you don't have a route in the routing table then it won't be advertised. You can add a static route to Null0 on the site B router to advertise it out but then when traffic gets to the router it will simply be dropped.

If you don't want to run IBGP between your routers then perhaps a solution would be to add this route to your site B ISP router -

ip route 12.220.7.192 255.255.255.192

then you have another issue. If you are advertising the same subnet from both sites but you want the traffic to go to site A under normal circumstances then you need to tell the ISP with site you prefer. You can look to use as-path prepending on the site B router so that site A is normally preferred if the site A link is up.

2) On the site B ASA you would need to -

1) setup static NATs for the 12.220.7.x addresses used in the site A DMZ

2) allow access to those addresses from the internet on the site B ASA

3) NAT the source IPs so they return to the site B ASA. This more complex than it sounds. You could use -

nat (outside) 1  0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

this would NAT all incoming source IPs to the inside IP on site B ASA so the return traffic should go back to the ASA. But if the site B ASA is also used for outbound internet access the above config would break the connections ie. an internal client connects to a web server on the internet and then when the return traffic comes back the above config would NAT the web server IP address to the inside IP of the ASA. This obviously isn't what you want.

You could try

access-list permit ip any 12.220.7.192 255.255.255.192

nat (outside) 1 access-list PNAT outside

global (inside) 1 interface

this would limit the nattting of source IPs to just traffic going to the 12.220.7.x servers from the internet. The only thing i am unsure of is can you do policy NAT with an access-list on the outside interface. You can do it on the inside, just not sure about the outside so it would need testing.

Edit - forogt to mention. Obviously you will need to add a route internally for the 12.220.7.x servers pointing to the site B ASA. This is fine as long as there are no internal clients that access these servers on their real IPs.

Jon

OK, it gets a little trickier ...

I have no internal routing currently between the two ASAs for that public DMZ range 12.220.7.192

Site B doesn't know anything about that range and will simply use the default route to the Internet to get there.

What if I do this?

1. Set up BGP in both sites, but with a MED on site B that indicates 12.220.7.192 is available but at a higher cost (less preferable)

2. Set up a static route on the Internet router running BGP in site B pointing to the outside interface of the ASA for that public network. Use redistribute static.

3. Set up a PAT statement for the host in the remote DMZ (in site A) on the ASA in site B, and then put a static route statement on the ASA pointing to an internal route. Traffic should then come in through the Internet, hit the ASA, and be forwarded internally to the remote DMZ in site A (I hope).

Will this work?

Colin

I was actually intending to edit this post (again !) to mention that if it is the same ISP MED is a better solution than using as-path prepending which is generally used when you have different ISPs. So yes to the MED.

2) When you say redistribute static are you running BGP between the ISP router and ASA ? Do you mean the ASA will then pass this on into your internal LAN. If not then you don't need to redistribute it because it is there simply to allow you to advertise out the 12.220.7.192 network to your ISP at site B.

3) Not sure what you mean. Do you mean PAT the servers in the DMZ ? If so you can't do this, you need to use static NATs.

Basically it is as i said in my last post -

1) you need to present these 12.220.7.x servers to the internet on site B ASA

2) if site A fails then traffic comes in via site B.  The source IPs of the traffic will be any internet address. So if you think about it, if you route the traffic to site A dmz server, when they respond they have no route back. The default-route on the the site A ASA will not be available. and you can't have a default-route in your network pointing back to site B as this would disrupt the rest of your traffic.

How do you route traffic to site A ASA in normal conditions for outbound internet access ? Do you have a default-route pointing to site A ASA inside interface ? If so you could repoint the default-route to site B ASA and then somehow make the ASA in site A aware of that route.

It is all about routing the traffic back out of your network from incoming internet connections. That is the tricky part.

So how is traffic, under normal conditions, routed to site A ASA ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: