ASA and ISA NLB (different inbound/outbound local IPs)

Unanswered Question
Dec 11th, 2008
User Badges:

Here's the logical topology:


ASA--(nlb)--(isa nlb)--ISA

(primary)----------(isa primary)


(The diagram doesn't appear correctly in the forum: ASA has three interfaces (outside, nlb, primary); ISA has two interfaces (isa nlb, isa primary); isa nlb is connected to ASA nlb; isa primary is connected to ASA primary.)

We want to use the NLB NIC (using a VIP) for inbound request only and utilize the other "Primary" NIC for outbound traffic (ISA-initiated as well as return traffic) - this is the NLB setup recommended by Microsoft. Thus, the Primary NIC has higher priority (lower metric) than the NLB NIC on the host. The problem would be the NAT/PAT on the ASA. Would something like this be possible?


!--- For outbound

access-list policy_nat1 extended permit ip host 192.168.3.21 any

static (primary, outside) 1.2.3.4 access-list policy_nat1


!--- For inbound request

access-list outside_access_in extended permit tcp any host 1.2.3.4 eq 80

static (nlb, outside) 1.2.3.4 172.20.20.11 netmask 255.255.255.255

access-group outside_access_in interface outside


What I am curious about is how ASA would interpret the return traffic from the host. For inbound, xlate would've been setup between the ASA's outside address and the NLB, but the return traffic would have the Primary NIC's address as the source due to the lower metric. My initial thought was that this would not work, but I currently don't have management access to the ASA and can't test the scenario.


Thanks for the help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jbayuka Wed, 12/17/2008 - 08:23
User Badges:
  • Bronze, 100 points or more

Network Load Balancing allows using multiple servers for failover and load balancing. The balancing occurs at the Nic on the server. On the servers, you assign a unique IP to the Nic and the web site on each server. Then you configure the Nic to use NLB. Once you do that, it creates an arbitrary MAC address which is assigned an IP address which represents both servers. It is that address that is Nat'ed at the ASA.


Which ASA you are using?


Actions

This Discussion