Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2021
Views
0
Helpful
2
Replies

ip nat inside source and two ISP on two separate routers

Vladimir Tikhorskiy
Level 1
Level 1

‎01-25-2010 12:27 AM - edited ‎03-04-2019 07:17 AM

Hello, everybody

I have a problem, can`t make a redundancy links to my internal resources (such a webserver)

This is a diagram of my connectivity

                                     /-----------ASA1------Border1-2821---------ISP1

---------switch-Core----------/                                     |

                                    \------------ASA2------Border2-2821---------ISP2

All IGP routing made by OSPF

The main routing path is Core-ASA1-Border1-ISP1, the backward routing is the same

On Border 1 PBR is present, it routes specific traffic to Border2

All boarders are operational (not HSRP)

ASA1(outside), ASA2(outside), Border1(inside), Border2(inside) connected through switch

The main problem - is that i cannot make publishing of internal resources through two ISP

for example

on border1

ip nat inside source static 172.19.1.250 1.1.1.1 extendable

on border2

ip nat inside source static 172.19.1.250 2.2.2.2 extendable

Of cause with current configuration all reply`s from internel network to Internet go to Border1 (Border2 has a higher metric)

Then i make a equal cost, ASA will see two equal cost route paths to 0.0.0.0

Diagram (packet flow)

                                    /------------ASA1-----------Boarder1-2821---------ISP1

---------switch-Core----------/                             \        |

                                    \------------ASA2           Boarder2-2821---------ISP2

Then Users from corporate network initiating connections, it`s all ok - load balancing working

But then connections initiates from outside to Border1 for example, reverse packet flow going from ASA to Border2

I solve this problem by implementing ip nat outside source on border routers ("labaleling" packets)

It`s not a good decision, because in a futere i planning to implement IDS on ASA and "viewing" not real IP adresses - not good

Please, help or give a advice how to implement nat source through 2 ISPs without implementing a nat outside source

Thanks

With best wishes, Vladimir

Xcuse for my English

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎01-25-2010 02:48 AM 

vtikhorskiy wrote:
Hello, everybody
I have a problem, can`t make a redundancy links to my internal resources (such a webserver)
This is a diagram of my connectivity
                                     /-----------ASA1------Border1-2821---------ISP1
---------switch-Core----------/                                     |
                                    \------------ASA2------Border2-2821---------ISP2
All IGP routing made by OSPF
The main routing path is Core-ASA1-Border1-ISP1, the backward routing is the same
On Border 1 PBR is present, it routes specific traffic to Border2
All boarders are operational (not HSRP)
ASA1(outside), ASA2(outside), Border1(inside), Border2(inside) connected through switch
The main problem - is that i cannot make publishing of internal resources through two ISP
for example
on border1
ip nat inside source static 172.19.1.250 1.1.1.1 extendable
on border2
ip nat inside source static 172.19.1.250 2.2.2.2 extendable
Of cause with current configuration all reply`s from internel network to Internet go to Border1 (Border2 has a higher metric)
Then i make a equal cost, ASA will see two equal cost route paths to 0.0.0.0
Diagram (packet flow)
                                    /------------ASA1-----------Boarder1-2821---------ISP1
---------switch-Core----------/                             \        |
                                    \------------ASA2           Boarder2-2821---------ISP2
Then Users from corporate network initiating connections, it`s all ok - load balancing working
But then connections initiates from outside to Border1 for example, reverse packet flow going from ASA to Border2
I solve this problem by implementing ip nat outside source on border routers ("labaleling" packets)
It`s not a good decision, because in a futere i planning to implement IDS on ASA and "viewing" not real IP adresses - not good
Please, help or give a advice how to implement nat source through 2 ISPs without implementing a nat outside source
Thanks
With best wishes, Vladimir
Xcuse for my English

Vladimir

Absolutely nothing wrong with your English at all

The solution you are using is the way to do it ie. NAT the incoming source addresses.

The only other thing i can think of is to use PBR on your core switch with the recursive next-hop feature (if it is supported). So traffic going from 172.19.1.250 to the internet has it's next-hop set to border1_2821 which would then send it back to the correct router.

Or could you implement PBR on border2_2821 on the inside interface so that any traffic coming in from 172.19.1.250 destined for the internet is sent back out to border1_2821.

Do you think either of these could work for you ?

Jon

0 Helpful

Vladimir Tikhorskiy
Level 1
Level 1
In response to Jon Marshall

‎01-25-2010 04:31 AM

Jon, nice to meet You

It`s a good solution, but

i need to recieve a traffic for inside host from two ISP at same time

I think, that only one working solution in my infrastructure is ip nat outside source(((((

Another solution is Multi-homed Internet access with BGP, but i don`t want to recieve ASN

Also it works on one router with two wan cards (one router - 2 ISP)

But i want to isolate hardware, software, link problems from one device (for example DOS attack kill router and two links at time)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card