cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
341
Views
0
Helpful
1
Replies

Two ISP One Inside Server With NAT public

RonnieBillate
Level 1
Level 1

Hi Everyone,

 

I would like seek an assistance with regards designing a redundant ISP in a data center. I already simulate this in a simulation gns3 and it didn't work. I hope can someone suggest or recommend a design. 

 

1. I have a two ISP

2. The design has a 2 VRRP Firewall 

3. The firewall has a NAT configuration. 

4. The server was static NAT also in a ISP1 and the other one ISP2.

5. The default route was in ISP 1. 


Now the issue comes in, when the outsider contact the server using the NAT in ISP2 the packet will be accepted and it will traversing to the private IP of the server. And then the private IP server will reply back by using the default route which is ISP1,

 

Question
is there a way in firewall that the firewall will able to know the packet was came in ISP2 and will reply using the ISP2 (which where it came) ? 


1 Reply 1

Hello

You could try Policy based routing to achieve this:

 

Possible example:

interface x/x
nameif Isp2
ip address x.x.x.x y.y.y.y <Isp2 wan facing interface)

nat (inside,Isp2) source dynamic any interface


object-group services Srv_ports
port-object eq 80
port-object eq 443

access-list Srv-acl extended permit tcp host 172.16.1.1 host <isp host) object-group Srv_ports

 

route-map Pbr_rm
match ip address Srv-acl
set ip next-hop y.y.y.y <– ISP2next hop)

 

interface x/x
nameif inside
policy-route route-map Pbr_rm


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: