Solved: Re: Help please, Dual ISP with HSRP scenario

pozoteleco · ‎06-10-2019

Hi everybody;

I have a question about how to set up this network scenario. In my company we are going to install a second ISP to have more redundancy (it is a medium company of 300 employees) that will be connected directly to a second router, the idea is to create two HSRP groups in which we point the traffic with a default route pointing to the IP of the HSRP depending of the department or the server is routing to HSRP 1 or 2. The doubt is how to make de NAT and where in this situation (R1 and R2 routers? or in ASA?), It's clear for me that route maps i have to configure in ASA obviously to balance and routing the traffic depending of the origin.

Could you help me please?? See the topology below:

Kind Regards.

Hector Gustavo Serrano Gutierrez · ‎06-10-2019

I think your design will be more “clean” with each Router performing its own NAT translations which is more a personal opinion at this point, but that could impact Enterprise to Internet load balance if that is one of your goals. Are you considering NAT on the ASA to accomplish some configuration/design advantage?

View solution in original post

Hector Gustavo Serrano Gutierrez · ‎06-10-2019

I think your design will be more “clean” with each Router performing its own NAT translations which is more a personal opinion at this point, but that could impact Enterprise to Internet load balance if that is one of your goals. Are you considering NAT on the ASA to accomplish some configuration/design advantage?

pozoteleco · ‎06-10-2019

i think so, thank you so much for your response!

Hector Gustavo Serrano Gutierrez · ‎06-11-2019

No problem @pozoteleco,

For completeness, the NAT configuration on the Routers can be as similar to:

ip access-list extended NAT_INSIDE
 remark RFC1918
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
!
ip nat inside source list NAT_INSIDE interface GigabitEthernet0/a overload
!
interface GigabitEthernet0/a
 description TO WAN
 ip address x.x.x.2 255.255.255.252
 ip nat outside
 no shutdown
!
interface GigabitEthernet0/b
 description TO LAN
 ip address 192.168.23.y 255.255.255.0
 ip nat inside
 no shutdown
!
ip route 10.0.0.0 255.0.0.0 192.168.23.10 name TO_LAN
ip route 172.16.0.0 255.240.0.0 192.168.23.10 name TO_LAN
ip route 192.168.0.0 255.255.0.0 192.168.23.10 name TO_LAN
ip route 0.0.0.0 0.0.0.0 x.x.x.3 name TO_WAN
!

I hope this helps.

DISCLAIMER:

The configurations discussed in this post can be merely templates and may not be final configurations that can be just copied & pasted to any network device in a production environment. It is responsibility of whoever follows this suggestions to review, evaluate and modify the configurations at convenience. Ensure that you understand the potential impact of any command. In all cases, make sure not to lose remote management access to the device. It is highly suggested to introduce changes to live networks only during maintenance windows. The author of this post is not responsible of unintended consequences by failing to follow this disclaimer note.

Philip D'Ath · ‎06-10-2019

This would be much easier using a Cisco Meraki MX100 rather than an ASA.

https://meraki.cisco.com/products/appliances/mx100

It has dual WAN links so you can just plug in both circuits and not worry about HSRP.

It has built in load balancing, or you can use flow preferences to direct certain hosts/subnets out a particular circuit.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferences