08-29-2008 06:27 AM - edited 03-03-2019 11:20 PM
We have an ASA going to a router that is connected to two ISP's, but no BGP. The ASA is using PAT with an IP from ISP-1, so even when traffic is routed out to ISP-2, it comes back via ISP-1. Is it okay to do PAT again on the ISP-2 interface, so traffic will come back to this interface?
Solved! Go to Solution.
08-29-2008 07:36 AM
David
The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.
HTH
Rick
08-29-2008 07:09 AM
If the applications work okay with PAT in the first place then there should be no problem with doing PAT on the packet again.
Jon
08-29-2008 07:13 AM
Yep, that is what I thought also, just wanted to hear others' opinions.
Thanks very much.
08-29-2008 07:36 AM
David
The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.
HTH
Rick
08-29-2008 07:54 AM
The issue you may have is how you decide to route traffic out ISP-1 and ISP-2.
If a single user machine could go out either interface and therefore appear on the internet as 2 different source address you may have a issue. For most things there are no issues but one example would be. If traffic to server A goes out isp-1 and natted ip address X and traffic to server B goes out ISP-2 and is natted ip address Y. If the application on server A would authenticate your ip X and then tell server B to allow this ip. When you traffic actually gets to server B using address Y it will be rejected.
To avoid things like this you need to make sure a single inside machine always appears as the same address. It is a little tougher in your case because the router cannot see the original ip that the ASA natted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide