Static NAT with 2 ISPs and different services published in each ISP

sonacolombia · ‎07-05-2011

Hi

I have a problem configuring this:

DMZ -

ASA1 -

ROUTER----

ISP1

|--

ASA2 -

\ \--

ISP2

In the DMZ the network is the 192.168.0.0 /24

Between the ASA and the router we create the network 192.168.202.0/24 which just make a nat between the 5 public addresses of each ISP like this:

<TD style="WIDTH: 60pt" width=80 mcestyle="width: 60pt;">IP router</TD></TR>

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.2

IP ASA1

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.3

IP ASA2

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.11

190.145.26.66

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.12

190.145.26.67

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.13

190.145.26.68

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.14

190.145.26.69

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.15

190.145.26.70

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.16

190.85.63.66

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.17

190.85.63.67

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.18

190.85.63.68

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.19

190.85.63.69

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.20

190.85.63.70

<TD style="HEIGHT: 12.75pt" height=17 mcestyle="height: 12.75pt;">192.168.202.21

190.66.24.181

Now each service provider give me 5 public addresses and there are some services published in each ISP and only in that ISP.

The router is a CISCO2821 and has an HWIC-4ESW connected to the ASA. and isn connected to the outside trough the GI0 and 1.

I need that the

The configuration is the next, my concern is for the services published in the public addresses of the ISP2 because the router does the static nattgin and then would not forward that traffic trough ISP1 which is the firs default route?

I would appreciate any help with this

!
vlan 100
name ROUTER
exit
!
!===================================================================================!
!nat y load balancing
!===================================================================================!
!
interface Gi0/0

description ISP1

ip address 190.145.26.68 255.255.255.240
ip nat outside
!
interface Gi0/1

description ISP2

ip address 190.85.63.68 255.255.255.240
ip nat outside
!
interface Fa0/0/0
switchport mode access vlan 100
!
!
interface Fa0/0/1
switchport mode access vlan 100
!
interface vlan100
description TELMEX
ip address 192.168.202.1 255.255.255.0
ip nat inside
!

ip nat inside source static 192.168.202.2 190.145.26.68 route-map isp1
ip nat inside source static 192.168.202.3 190.145.26.68 route-map isp1
ip nat inside source static 192.168.202.11 190.145.26.66 route-map isp1
ip nat inside source static 192.168.202.12 190.145.26.67 route-map isp1
ip nat inside source static 192.168.202.13 190.145.26.68 route-map isp1
ip nat inside source static 192.168.202.14 190.145.26.69 route-map isp1
ip nat inside source static 192.168.202.15 190.145.26.70 route-map isp1
ip nat inside source static 192.168.202.16 190.85.63.66 route-map isp2
ip nat inside source static 192.168.202.17 190.85.63.67 route-map isp2
ip nat inside source static 192.168.202.18 190.85.63.68 route-map isp2
ip nat inside source static 192.168.202.19 190.85.63.69 route-map isp2
ip nat inside source static 192.168.202.20 190.85.63.70 route-map isp2

access-list 101 permit ip 192.168.202.0 0.0.0.255 any

route-map isp1 permit 10
match ip address 101
match interface Gi0/0

route-map isp2 permit 10
match ip address 101
match interface Gi0/1

ip route 0.0.0.0 0.0.0.0 190.145.26.65 !
ip route 0.0.0.0 0.0.0.0 190.85.63.65 10 !Backup route

Thank you

sonacolombia · ‎07-05-2011

Attached is the topology and the static table which did not appear in the post

Marwan ALshawi · ‎07-05-2011

you need to have Policy based routing with your configuration to conrol the traffic routing based on the source IP or destination

have a look at the bellow link which will be helpful how to configure the PBR in your case

https://supportforums.cisco.com/docs/DOC-8313

or if you want all traffic from those servers comfing thorugh ASA 1 interface go to ISP! for example and the ASA 2 to ISP2 then you can do it this way as well buy using teo PBRs on the routeres interfaces connected to each of the ASAs

good luck

if helpful rate