cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3458
Views
0
Helpful
9
Replies

PBR and NAT Dual ISP

andrewpratt15
Level 1
Level 1

I have recently acquired a 2921 router to do policy based routing for my WAN links, as I was unable to do so with the ASA 5512. With the new router I plan on implementing something similar to below.

I have a two servers (let's say they're both mail servers) that I want to primarily use ISP 1, and I would like the rest of my traffic to utilize ISP 2.

When ISP 1 fails, I want to utilize ISP 2 for the server traffic that was destined for ISP 1. I know I can setup IP SLA monitor and policy based routing to achieve these goals, but I am unsure of how my exact setup should look. I currently have all NAT taking place on the ASA, meaning I have the (in the example) 192.168.1.11 leaving the ASA after being NAT'd. Can I keep this configuration or do I need to move NAT to the router in order for the setup to work?

To to summarize what I need

2 servers using ISP 1 as primary

Clients using ISP 2 as primary

IP SLA Monitor to track failover of links, so that if ISP 1 goes down, the server will use ISP 2. Likewise if ISP 2 goes down, the clients will use ISP 1.

Can I keep NAT on the firewall?

Are there any other concerns I should be aware of? Thank you!

(if I need to connect 2 links between the ASA and router, please let me know)

router.JPG

1 Accepted Solution

Accepted Solutions

Andrew

You do have to use a route map for NAT because you need to match the outgoing interface so it knows which NAT pool to use. If ISP1 fails and you leave the ISP1 NAT on the firewall then the source IPs simply get subjected to NAT twice ie. once on the firewall to an ISP1 IP and then on the router to an ISP2 IP.

That should not be an issue ie. there is no record in the IP packet as to how many times it has been subjected to NAT.

If you terminate all NAT on the router which i'm not saying you shoudn't do then for your VPNs you will need to use NAT-T because your ASA to router connection would have a private IP range and the actual VPN endpoint would be an address on the router.

If you are labbing this up i recommend you make sure you can get all the VPN setup working correctly as VPNs and NAT sometimes don't work well together.

If you have any more queries or need help when you lab it up then please feel free to come back.

Jon

View solution in original post

9 Replies 9

andrewpratt15
Level 1
Level 1

Anyone? I'm going to test it out in a lab environment hopefully.

Andrew

You could leave the ISP1 NAT on your firewall and have the ISP2 NAT on the router although that means if ISP1 is down then you end up doing NAT twice on source IPs.

Or you could move all NAT to the router.

Outboud traffic from clients to the internet is relatively easy either way. The main issues are -

1) do you have any VPNs terminating on the firewall ?

2) more importantly your servers. If connections are made to your servers from the internet which ISP do you use for NAT and what happens if that ISP goes down ?

Even if you assign a server an IP from both ISPs which would mean two DNS entries on the internet if one goes down then unless the other ISP is advertising out that range traffic willl be lost for half the connections.

Can you perhaps clarify how the mail servers work and how you see it working.

Jon

Thank you for the reply Jon.

I am thinking I would probably just move all NAT to the router then.

1) Yes VPNs do terminate on the firewall

2) If the connection to the mail servers goes down, I'm told that the relay provider we use, has a system that monitors and can swap to our secondary IP if the first is unreachable via their pings. So incoming NAT would basically have a rule for both external IPs to head to the same internal IP.

However I am not familiar with the mail relays setup, I am just told it works that way.

The reason we added the router is because we needed failover (which the ASA supported) but we also needed to utilize both ISPs simultaneously (which the ASA did not support).

So do you think this is even doable?

Sadly, our old Sonicwall firewall did all of this in one device, with no issues, and I convinced my boss to switch to Cisco since I had prior positive experiences, and I am now left trying to figure out how to get him what he wants again

Adding to my question about NAT, if I perform ISP1 NAT on the firewall and ISP2 NAT on the router, what happens if everything fails over to ISP2?

What would my NAT look like?

Currently (in my lab) I have it setup to NAT server 1 on the firewall, and that works fine, but what happens when ISP1 goes down?

It will still be NATing it on the firewall, the only thing I could think of when you say have NAT for ISP2 on the router is to have that (already NAT'd) IP as the source, but then it would apply no matter what. Do I have to use route-map for NAT and SLA monitoring to track?

Andrew

You do have to use a route map for NAT because you need to match the outgoing interface so it knows which NAT pool to use. If ISP1 fails and you leave the ISP1 NAT on the firewall then the source IPs simply get subjected to NAT twice ie. once on the firewall to an ISP1 IP and then on the router to an ISP2 IP.

That should not be an issue ie. there is no record in the IP packet as to how many times it has been subjected to NAT.

If you terminate all NAT on the router which i'm not saying you shoudn't do then for your VPNs you will need to use NAT-T because your ASA to router connection would have a private IP range and the actual VPN endpoint would be an address on the router.

If you are labbing this up i recommend you make sure you can get all the VPN setup working correctly as VPNs and NAT sometimes don't work well together.

If you have any more queries or need help when you lab it up then please feel free to come back.

Jon

I see, a little clearer now.

So I'm looking at this,

http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example

which is essentially similar to my situation, except I can't use overload for the NAT because I don't want to use the interface IP, I want to use a different IP (the 192.168.1.11 or 172.16.0.11)

Is there anyway to set this up without overload? I see in the syntax I can use a pool, but then it won't be applied based on the exit interface it will be applied globally which will interfere with the traffic while ISP1 is up.

I greatly appreciate your advice.

I just noticed the bit at the bottom of that link I sent, where it spells out the static NAT advice, would that work for my situation?

Andrew

You mean set it up with a different IP than the interface ie. you will still be overloading unless you have a lot of public IPs but you just don't want to overload on the interface IP ?

If so although i don't have anything to test with i can't see why you can't reference a NAT pool instead. The match interface in your NAT config is to tell NAT which IP(s) to use when going out of a particular interface but that doesn't mean it has to use the actual interface IP.

If you haven't seen it you may also want to use this very good document as a reference -

https://supportforums.cisco.com/docs/DOC-8313

Jon

I will overload all client traffic but not the traffic from the servers. The traffic from the servers will be NATd to a different IP than the interface.

I will look through that document you linked, I think I am now on the right track. I will come back if I can't figure it out. Thank you very much!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: