cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Dual WAN, NAT, PAT, VPN ASA Design Question

Mattthew Haworth
Beginner
Beginner

I've been tasked with adding a dual WAN solution for our office.  We currently have an ASA 5510 with one internet provider (the ASA is the border device).  We have a site to site VPN end-point terminating on this device, many PAT statements for our 11 public IP addresses.  We want to add a second WAN ISP connection, utilizing those public IPs to do PAT and NAT as well. We need both ISP links to be active, but the main internet bound connections going out ISP A.  I've been reading and found that I need to put a router on front of the ASA device to enable this.

My question is:

How do I go about configuring the asa and router to enable this/

     I put the publics on the router, a single connection going to the asa, private IPs in between, but, what NAT/PAT rules do I need?

What would be a good model router to put in front of the ASA, our main ISP is a 80/30Mb connection and the second is a 50/20Mb.

How about the site-to-site VPN, do I need to setup a 1-to-1 NAT on the new router for the public IP that VPN is coming in upon?

I don't need load balancing, but failover from ISP A to ISP B would be needed in the setup.

Many thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

You would need to move the public IP addresses to the WAN interfaces of the new router and have static 1 to 1 mappings for each of your NAT'ted services. Hardware wise you would be looking at something like a 29xx or 39xx series router - it depends on what throughput and features you would be looking to run on the router. In an ideal world you would have two routers on the outside of the firewall because you are introducing a single point of failure (the router).

View solution in original post

3 REPLIES 3

Mattthew Haworth
Beginner
Beginner

Does no one have suggestions for this?

You would need to move the public IP addresses to the WAN interfaces of the new router and have static 1 to 1 mappings for each of your NAT'ted services. Hardware wise you would be looking at something like a 29xx or 39xx series router - it depends on what throughput and features you would be looking to run on the router. In an ideal world you would have two routers on the outside of the firewall because you are introducing a single point of failure (the router).

awesome, thank you for the input! So if I have static 1 to 1 mappings, my ASA and wan router will have to have their own private /24 network inside to handle all the translations, correct?  And, I was incorrect about the amount of bandth, its 100/10 and 40/40, so they want to be able to expand to 200Mpbs of throughput on the WAN routing.  I was looking at the 3945, and it would be just for what was mentioned; routing two ISP connections to my ASA 5510. so no inpect or QOS or anything like that being enabled on this edge device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: