Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
2
Replies

Dual active ISP on ASA

Zhaofeng Wei
Level 1
Level 1

‎10-28-2016 03:16 PM - edited ‎03-05-2019 07:22 AM

Hi,

I have two ISPs. I have /24 public IP block from each of ISP. I have NAT configured on my ASA 5525 for WWW service.

For example.

IP from ISP1: 1.1.1.1

IP from ISP2: 2.2.2.2

When traffic comes in for 1.1.1.1:80, I would like the return traffic go back to ISP1 link. When traffic comes from 2.2.2.2, the return traffic should govia ISP2.

How to route traffice based on source IP? Will NAT affect it?

Labels:
0 Helpful
2 Replies 2

Anton Abik
Level 4
Level 4

‎10-28-2016 04:22 PM

Hi,

first I would like to mention that you cannot have two default routes configured different ways (ISPs). I dont know your exact topology or what do you want to accomplish but if you want to have multihomed ISPs on the ASA FW, then I think you cannot have just one ISP active and other ISP standby for your outbound traffic but in same time for inbound routing both ISPs active and also doing the NAT. This is true if you are using the ISPs for your multihomed Internet traffic with default route configured towards one ISP and other default route with worse AD "waiting" (not in routing table) towards second ISP.

This is why:

incoming traffic from ISP2 (outbound traffic standby ISP) -->Allowed and NATED --> host responds --> back traffic to ASA --> NATED back and put on ISP2 facing interface on ASA --> Checked for routing --> Routing missing --> Packet dropped.

However if you are not using default routing but you explicitly specify routing towards one ISP and explicitly specify routing towards second ISP (lets say these ISPs are not for regular Internet traffic but maybe its some private MPLS WAN ISP connections towards your remotes sites) then you are just fine. It comes from one ISP, being nated, back traffic being nated and routing is OK, because you explicitly defined that.

0 Helpful

Karsten Iwen
VIP
VIP

‎10-29-2016 02:06 AM

This will work exactly as you want. You need:

  • The two nat statements
  • default-routing for active/standby.
  • no reverse-path-check on the secondary IP

If the packet is processed on the secondary link, then NAT will handle that the packet is also sent out (diverted to) that link.

This is a config how it could look like:

object network SERVER-WWW-ISP1
 host 10.10.10.80
 nat (dmz-www,outside) static 1.1.1.1 service tcp 80 80
!
object network SERVER-WWW-ISP2
 host 10.10.10.80
 nat (dmz-www,outside) static 2.2.2.2 service tcp 80 80
!
route outside1 0 0 1.1.1.254
route outside2 0 0 2.2.2.254 100

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card