cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1625
Views
0
Helpful
5
Replies

Dual ISP NAT Question

mtehonica
Level 5
Level 5

Here is my situation... I have dual ISP configured on my ASA 5505.  I need to NAT serveral servers on the inside to public IPs on the outside.

Example:

Web Server Private IP: 192.168.5.11

Public IP from ISP 1: 96.249.40.40

Public IP from ISP 2: 208.125.237.80

Here is my config:

ASA Version 8.4(1)

!

hostname nysyr-sbo-asa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description Connection to Primary ISP (FiOS)

nameif primaryisp

security-level 0

ip address 172.31.150.25 255.255.255.0

!

interface Vlan3

description Connection to Secondary ISP (Time Warner)

nameif backupisp

security-level 0

ip address 10.10.10.25 255.255.255.0

!

interface Vlan5

description Connection to internal internet access subnet (192.168.5.0/24)

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

object network primaryisp-network

subnet 172.31.150.0 255.255.255.0

object network backupisp-network

subnet 10.10.10.0 255.255.255.0

object network inside-network

subnet 192.168.5.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu primaryisp 1500

mtu backupisp 1500

ip local pool vpn-ip-pool 10.20.20.10-10.20.20.30 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,primaryisp) source dynamic any interface

nat (inside,backupisp) source dynamic any interface

access-group global_access global

route primaryisp 0.0.0.0 0.0.0.0 172.31.150.254 1 track 1

route backupisp 0.0.0.0 0.0.0.0 10.10.10.254 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp

threshold 3000

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

telnet timeout 5

ssh timeout 5

console timeout 0

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

5 Replies 5

Pawan Sharma
Level 1
Level 1

Hi,

This is something which is generally not recommended if used simultaenously. what you can do is configure it along with IP SLA and use them with automated failover.

Regards,

Pawan Sharma

http://www.ebrahma.com

Regards,
Pawan Sharma
https://itgears.io

Thanks for the reply.  As you can see from the config, I am using IP SLA to failover from primaryisp to backupisp.  What I need to figure out is how to handle this situation when a failover happens.

Hi,

You dont have to handle this manually. In case of failover ASA will rebuild the NAT table and would the same for your static NATs too.

Regards,

Pawan Sharma

http://www.ebrahma.com

Regards,
Pawan Sharma
https://itgears.io

How would it do it automatically?  I have to tell it what to NAT. For example...

object network asp-wss-1

nat (any,any) static 208.125.237.80

How do I also tell it to nat (any,any) static 96.249.40.40??  Would I need to create 2 unique objects with 2 unique private IPs?

For anyone else who comes across this issue, here is what I ended up doing...

Create 2 objects with the same IP...

object network asp-wss-1-tw

host 192.168.5.11

object network asp-wss-1-vz

host 192.168.5.11

Then NAT each of those to their respective IPs for that ISP...

object network asp-wss-1-tw

nat (inside,backupisp) static 208.125.237.xxx

object network asp-wss-1-vz

nat (inside,primaryisp) static 24.97.182.xxx

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: