Hi Vipin
I have the below inputs on the above traffic requirement:
Please suggest if the followings are right or not?
I) So for internet connection i need to configure
a) Default route in 2851router
Yes two default routes will be required one each for the respective ISP connection. Depending upon which ISP connection we need to make Secondary for Failover we need to increase the AD of that default route.
b) Default route from ASA5510 to router's interface that is connecred to ASA
Yes we wiil need a default route from ASA towards router to send the traffic out from the router to Internet.
c) PAT from ASA's inside private addresses to ASA's outside private address
Yes this PAT would save the reverse route requirement on the router to reach the Internal LAN Subnets
d) Then another PAT from ASA's outside interface to router's WAN interface.
I don;t think this PAT is needed as its the router which is connected to Internet via Public IPs so NATTing (PAT) would be done on the router but since here we have two paths available to go out this is little tricky as we want Active:Standy mode of operation we need to do the PAT based on the NAT Pool and not outgoing interface. Are the ISPs allocating you Public Subnets or not apart from the Peering Connectivity. What we need is to have atleast one Public IP Block assigned from any of the ISP and route the same via both ISPs and the PAT would be done via this Public IP Pool so as long as one of the ISP link is UP the PAT would still work independent of which ISP Link is UP.
We need to make sure that the Public IP Pool assigned is routed via both ISPs to Internet and announced as less preferred via secondary ISP .
Do i need to configure anything for make internet UP for the internal network.
No from my understanding nothing needs to be done for the Internal Network as PAT is being used for the ASA.
II) Static NAT of servers inside the ASA's inside interface
a) Since the servers are two hops away from router's WAN interface is it possible to do a static NAT from the ASA itself?
Since we are already doing PAT on the ASA for the Internal LAN I don't think we can do Static NAT for them or may be we can do selective Static NAT on ASA and Selective PAT on the ASA.
b) or Do i need to configure NAT in router? if it so how can i configure that.
Yes PAT needs to be configured on Router for Internet Access to LAN
III) Failover mechanism
a) is RTR configuration is enough for this ISP switching? or do i need to configure BGP or something Please advice i've no idea in this
FLoating Static Route will provide the required the Switching for the Default route for Internet as explained above.
IV) IPVPN to multiple sites
a) from the ISP's website it is showing IPVPN is related to MPLS, So do i need to configure anything from our side? or ISP will do this?initially i thought it was similar to site-to-site vpn.
Ok now for the IPVPN which is actually an MPLS VPN for Inter-Site connectivity I believe we would be using separate physical links to different ISP ( coz the existing ISP Links are showing via Modem). Well anyways for the MPLS VPN we always need a PE-CE routing protocol to run with the ISP so each site LAN routes are exchanged to the remote sites across MPLS WAN. Now since we are here doing Double NAT ( at ASA and Router for the Internet Access that means the site router does not have visibility to LAN Subnets. We can still use this Model and run a Dynamic Routing Protocol say BGP with the ISP for the MPLS VPN Link and advertise the MPLS-VPN Link over that and receive the remote site routes dynamically. Here while doing NAT we need to ensure that the match criteria for NAT is capable to differentiate between the Internet and MPLS VPN destinations. One such way would be to PAT anything other than the Private IP range to the Public IPs and PAT everything in the Private IP range to the MPLS VPN Link.
Also for failover of wan interface do i need to create NAT and default route for each interface ???
Yes as mentioned above two default routes will be created one for each ISP and the AD value of the secondary ISP Link should be increased to use the Active:Standby Model.PAT has to be done on the router as explained above.
Hope this helps to clarify something on the traffic requirement. Do let me know for any questions.
Regards
Varma
