cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
6
Replies

Changing the external IP, how to organize soft move IP?

Yuri Kazankin
Level 1
Level 1

Good day!

The situation is as follows:

There is an Internet Service Provider (ISP1), has a Cisco ASA (8.4) (ASA1) with the external IP 1.1.1.1, there WEB-server with the internal address 10.0.0.186, which run web-application.

On ASA1 configured NAT:

    Source - Origin: 10.0.0.186/32, Translated: 1.1.1.1/32

    Service - Origin: tcp source eq www, Translated: tcp source eq www

Thus the address 1.1.1.1 is available applications running on WEB-serevere 10.0.0.186.

I need migration to another Internet service provider (ISP2), for this, a second Cisco ASA with an external address 2.2.2.2.

On ASA2 configured NAT:

    Source - Origin: 10.0.0.186/32, Translated: 2.2.2.2/32

    Service - Origin: tcp source eq www, Translated: tcp source eq www

Wiring diagram:

cisco.jpeg

On the WEB-server is a route:

Destination Gateway Genmask

default 10.0.0.1 0.0.0.0

Question:

Necessary to make the web-app was available on IP 1.1.1.1 and 2.2.2.2.

In this case, NAT on ASA2 works correctly, but the return packets are sent to ASA1 and nothing works.

Tried to put ASA2 route through ASA1:

S 10.0.0.186 255.255.255.255 [1/0] via 10.0.0.1, LAN

C 10.0.0.0 255.255.255.0 is directly connected, LAN

But ASA2 still goes on directly connected:

Jun 19 12:40:38 ASA2% ASA-7-609001: Built local-host LAN: 10.0.0.186

Jun 19 12:40:38 ASA2% ASA-6-302013: Built inbound TCP connection 98 for WAN: 1.2.3.4/2930 (1.2.3.4/2930) to LAN: 10.0.0.186/80 (2.2.2.2/80)

Please help to organize a smooth relocation. Any ideas?

6 Replies 6

Abzal
Level 7
Level 7

Hi,

You need to change default route on Web server to point to ASA2 10.0.0.2. Then it should be ok.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

You need to change default route on Web server to point to ASA2 10.0.0.2. Then it should be ok.

Good day.

Then the web application will be available at IP 2.2.2.2, but will not be available at IP 1.1.1.1. This will not solve the problem.

It is necessary that the web application was available for IP 1.1.1.1 and 2.2.2.2.

Hi,

I think the easiest way to plug one more network NIC card then give to it another IP address and make static NAT to ASA2. And first NIC to ASA1.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Hello

You don't say what your ASA's are connected to regards your LAN devices.  Could be that you may be able to implement Policy Based Routing (PBR), So that any web traffic sourced from you server will be policy routed via ASA2 and ISP2.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello

Connecting to a LAN through a switch occurs.

I would be very grateful if you would have given an example configuration.

I almost did not deal with PBR.

mfurnival
Level 4
Level 4

I am not sure how this would work with PBR. So traffic can come in to the site via either ISP1 or ISP2 and get forwarded on to your server. Outbound traffic can only go to one gateway and it so roughly half the time (assuming the load is balanced) it will go out via the "wrong" ASA. This might not matter - it depends on what else is north of this site and whether the service gets upset with asymmetric routing.

What about hosting another internal address on the server such as 10.0.0.187 and having the rule on ASA1 forward to 10.0.0.186 and the the rule on ASA2 forwarding to 10.0.0.187? Then you can manipulate which outbound traffic goes where because the source address will be different.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco