ip nat inside source and two ISP on two separate routers

Unanswered Question
Jan 25th, 2010

Hello, everybody

I have a problem, can`t make a redundancy links to my internal resources (such a webserver)

This is a diagram of my connectivity

                                     /-----------ASA1------Border1-2821---------ISP1

---------switch-Core----------/                                     |

                                    \------------ASA2------Border2-2821---------ISP2

All IGP routing made by OSPF

The main routing path is Core-ASA1-Border1-ISP1, the backward routing is the same

On Border 1 PBR is present, it routes specific traffic to Border2

All boarders are operational (not HSRP)

ASA1(outside), ASA2(outside), Border1(inside), Border2(inside) connected through switch

The main problem - is that i cannot make publishing of internal resources through two ISP

for example

on border1

ip nat inside source static 172.19.1.250 1.1.1.1 extendable

on border2

ip nat inside source static 172.19.1.250 2.2.2.2 extendable

Of cause with current configuration all reply`s from internel network to Internet go to Border1 (Border2 has a higher metric)

Then i make a equal cost, ASA will see two equal cost route paths to 0.0.0.0

Diagram (packet flow)

                                    /------------ASA1-----------Boarder1-2821---------ISP1

---------switch-Core----------/                             \        |

                                    \------------ASA2           Boarder2-2821---------ISP2

Then Users from corporate network initiating connections, it`s all ok - load balancing working

But then connections initiates from outside to Border1 for example, reverse packet flow going from ASA to Border2

I solve this problem by implementing ip nat outside source on border routers ("labaleling" packets)

It`s not a good decision, because in a futere i planning to implement IDS on ASA and "viewing" not real IP adresses - not good

Please, help or give a advice how to implement nat source through 2 ISPs without implementing a nat outside source

Thanks

With best wishes, Vladimir

Xcuse for my English

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 01/25/2010 - 02:48

vtikhorskiy wrote:

Hello, everybody

I have a problem, can`t make a redundancy links to my internal resources (such a webserver)

This is a diagram of my connectivity

                                     /-----------ASA1------Border1-2821---------ISP1

---------switch-Core----------/                                     |

                                    \------------ASA2------Border2-2821---------ISP2

All IGP routing made by OSPF

The main routing path is Core-ASA1-Border1-ISP1, the backward routing is the same

On Border 1 PBR is present, it routes specific traffic to Border2

All boarders are operational (not HSRP)

ASA1(outside), ASA2(outside), Border1(inside), Border2(inside) connected through switch

The main problem - is that i cannot make publishing of internal resources through two ISP

for example

on border1

ip nat inside source static 172.19.1.250 1.1.1.1 extendable

on border2

ip nat inside source static 172.19.1.250 2.2.2.2 extendable

Of cause with current configuration all reply`s from internel network to Internet go to Border1 (Border2 has a higher metric)

Then i make a equal cost, ASA will see two equal cost route paths to 0.0.0.0

Diagram (packet flow)

                                    /------------ASA1-----------Boarder1-2821---------ISP1

---------switch-Core----------/                             \        |

                                    \------------ASA2           Boarder2-2821---------ISP2

Then Users from corporate network initiating connections, it`s all ok - load balancing working

But then connections initiates from outside to Border1 for example, reverse packet flow going from ASA to Border2

I solve this problem by implementing ip nat outside source on border routers ("labaleling" packets)

It`s not a good decision, because in a futere i planning to implement IDS on ASA and "viewing" not real IP adresses - not good

Please, help or give a advice how to implement nat source through 2 ISPs without implementing a nat outside source

Thanks

With best wishes, Vladimir

Xcuse for my English

Vladimir

Absolutely nothing wrong with your English at all

The solution you are using is the way to do it ie. NAT the incoming source addresses.

The only other thing i can think of is to use PBR on your core switch with the recursive next-hop feature (if it is supported). So traffic going from 172.19.1.250 to the internet has it's next-hop set to border1_2821 which would then send it back to the correct router.

Or could you implement PBR on border2_2821 on the inside interface so that any traffic coming in from 172.19.1.250 destined for the internet is sent back out to border1_2821.

Do you think either of these could work for you ?

Jon

Vladimir Tikhorskiy Mon, 01/25/2010 - 04:31

Jon, nice to meet You

It`s a good solution, but

i need to recieve a traffic for inside host from two ISP at same time

I think, that only one working solution in my infrastructure is ip nat outside source(((((

Another solution is Multi-homed Internet access with BGP, but i don`t want to recieve ASN

Also it works on one router with two wan cards (one router - 2 ISP)

But i want to isolate hardware, software, link problems from one device (for example DOS attack kill router and two links at time)

Actions

This Discussion

Related Content