Solved: Hi Rick/Jon,I should be able

Fraser010 · ‎03-04-2015

Hi All,

Currently I have a 5525-x with a public IP on the Outside interface connected directly to my ISP and the ASA is doing all the NAT translations, VPN and firewall requirements. We are now getting a second internet connection to a different ISP so that we can split the business related traffic from internet browsing. I know that the 5525-x is not capable of PBR and want to install a 1941 router in front of the ASA so that I can configure PBR on that but I still want to keep my NAT and VPN settings on the ASA.

My question is what IP addresses should I configure on the 1941 between the ASA and the 1941 and also between the 1941 and the 2 different ISP's seeing that I now will have 2 different public IP ranges. The ASA can only have one default route which will be the 1941 but the NAT translations will be done on the ASA for all public facing IP addresses. The new public IP range will be used purely for internet browsing and the outgoing NAT translations when users access the internet where as the current public IP range will remain for all the other NAT translations.

Any help will be appreciated.

Thanks

Marius

Jon Marshall · ‎03-06-2015

Marius

If you can get two /30s then there is no need for private addressing unless you are desperate to save public IPs.

And if you were doing VPNs you probably don't want to use private addressing on the ASA as this could cause issues with NAT.

What you do is leave your public IP addressing as is and simply use the new block for NAT as well.

The ASA would have a default route pointing to the router. The router would have a route for the new block pointing to the outside interface of your ASA.

Each ISP would need a route for their own block pointing to your end of the /30 on the router.

That should work fine and it means no readdressing or changing of anything on the ASA.

What you can then do is, as Rick suggested, use a different public IP on the ASA for specific traffic and use PBR on the router to then send it to the correct ISP which also means traffic is symmetric ie. it goes out and comes back on the same link which is what you really want.

Jon

View solution in original post

Karsten Iwen · ‎03-05-2015

That won't work in a way that will satisfy you. But there are options you can go:

1) Configure your ASA with both ISPs in a primary/backup way. With that your initiated traffic will flow over the primary refault-route, but incoming traffic can be handled from both ISPs

2) Place a proxy in an ASA-DMZ. In that DMZ you use your 1941 with a connection to the second provider and point the proxies default-gateway to that router. Now your web-surfing is also on the second ISP.

3) Wait for PBR to arrive on the ASA. There are rumors that this feature will come sooner or later.

Richard Burts · ‎03-05-2015

I wonder if it would work to have the ASA do address translation for web browsing traffic (TCP 80 and 443) using a public IP from one ISP and do address translation for other traffic using a public IP from the other ISP and then let the 1941 route the outbound traffic using PBR to make decisions based on the source address (or perhaps based on the port number).

HTH

Rick

HTH

Rick

Jon Marshall · ‎03-05-2015

Hi Rick

I like the idea but the only issue is what addressing is used to connect the router to the different ISPs.

If Marius wants to keep the public block he is using on the ASA then a new block is needed for the router to that ISP unless they can agree to use private addressing.

And the same goes for the other ISP as well.

If both ISPs agreed to use private addressing on the links then actually it would work fine as you suggest.

I don't know whether ISPs would do this though as I have never done that before ?

Jon

Fraser010 · ‎03-05-2015

Hi Rick/Jon,

I should be able to get /30 IP blocks for the WAN ports connecting the router to the ISP's. If I can get that sorted should I configure a private range between the router and the ASA and route the 2 public ranges from the router to the ASA for address translation and use separate address translations for outgoing traffic? For example:

ASA Outside IP: 192.168.0.1

router inside IP: 192.168.0.2

router ISP1: /30 IP of ISP1

router ISP 2: /30 IP of ISP2

ASA address translation:

nat (any,Outside) after-auto source dynamic 80 "ISP2 public IP"

nat (any,Outside) after-auto source dynamic 443 "ISP2 public IP"

nat (any,Outside) after-auto source dynamic any "ISP1 public IP"

Thanks

Marius

Jon Marshall · ‎03-06-2015

Marius

If you can get two /30s then there is no need for private addressing unless you are desperate to save public IPs.

And if you were doing VPNs you probably don't want to use private addressing on the ASA as this could cause issues with NAT.

What you do is leave your public IP addressing as is and simply use the new block for NAT as well.

The ASA would have a default route pointing to the router. The router would have a route for the new block pointing to the outside interface of your ASA.

Each ISP would need a route for their own block pointing to your end of the /30 on the router.

That should work fine and it means no readdressing or changing of anything on the ASA.

What you can then do is, as Rick suggested, use a different public IP on the ASA for specific traffic and use PBR on the router to then send it to the correct ISP which also means traffic is symmetric ie. it goes out and comes back on the same link which is what you really want.

Jon

Fraser010 · ‎03-09-2015

Hi Jon/Rick,

Thanks for your suggestions. I will be testing the new ISP's connection this week and we are planning of making it live on Friday night and I will try your suggestions and let you guys know how it goes.

Thanks

Marius

Jon Marshall · ‎03-05-2015

Marius

As Karsten says it won't work with just two blocks of public IP addressing.

However if you could subnet down your blocks or get two more smaller blocks then you can -

1) configure the 1941 to each ISP with the relevant smaller block

2) use your existing block as it is on the ASA

3) add a route for the new block on your router pointing to your ASA outside interface and then you could use these for NAT.

Your ISPs would also need routes for the blocks in use on the ASA pointing to the router interface IPs used to connect to the ISP routers.

It always comes down to the IP addressing as to how easy these things are to do.

Jon

Richard Burts · ‎03-06-2015

I agree that what will work is very dependent on what IP block or blocks are assigned to Marius by the ISPs. I have worked with some customers where the ISP assigned a single block of addresses to work for both interface addressing and address translation. I find it a bit more common that the ISP will assign a small block (frequently /30) for interface addressing and a separate larger block for address translation. If the ISPs give Marius two blocks then the strategy we have suggested of small block on the router interface and larger block on ASA works and if an ISP assigns just a single block then it does not.

HTH

Rick

HTH

Rick

New 1941 router in front of ASA 5525-x with second ISP connection for PBR