01-25-2010 12:27 AM - edited 03-04-2019 07:17 AM
Hello, everybody
I have a problem, can`t make a redundancy links to my internal resources (such a webserver)
This is a diagram of my connectivity
/-----------ASA1------Border1-2821---------ISP1
---------switch-Core----------/ |
\------------ASA2------Border2-2821---------ISP2
All IGP routing made by OSPF
The main routing path is Core-ASA1-Border1-ISP1, the backward routing is the same
On Border 1 PBR is present, it routes specific traffic to Border2
All boarders are operational (not HSRP)
ASA1(outside), ASA2(outside), Border1(inside), Border2(inside) connected through switch
The main problem - is that i cannot make publishing of internal resources through two ISP
for example
on border1
ip nat inside source static 172.19.1.250 1.1.1.1 extendable
on border2
ip nat inside source static 172.19.1.250 2.2.2.2 extendable
Of cause with current configuration all reply`s from internel network to Internet go to Border1 (Border2 has a higher metric)
Then i make a equal cost, ASA will see two equal cost route paths to 0.0.0.0
Diagram (packet flow)
/------------ASA1-----------Boarder1-2821---------ISP1
---------switch-Core----------/ \ |
\------------ASA2 Boarder2-2821---------ISP2
Then Users from corporate network initiating connections, it`s all ok - load balancing working
But then connections initiates from outside to Border1 for example, reverse packet flow going from ASA to Border2
I solve this problem by implementing ip nat outside source on border routers ("labaleling" packets)
It`s not a good decision, because in a futere i planning to implement IDS on ASA and "viewing" not real IP adresses - not good
Please, help or give a advice how to implement nat source through 2 ISPs without implementing a nat outside source
Thanks
With best wishes, Vladimir
Xcuse for my English
01-25-2010 02:48 AM
vtikhorskiy wrote:
Hello, everybody
I have a problem, can`t make a redundancy links to my internal resources (such a webserver)
This is a diagram of my connectivity
/-----------ASA1------Border1-2821---------ISP1
---------switch-Core----------/ |
\------------ASA2------Border2-2821---------ISP2
All IGP routing made by OSPF
The main routing path is Core-ASA1-Border1-ISP1, the backward routing is the same
On Border 1 PBR is present, it routes specific traffic to Border2
All boarders are operational (not HSRP)
ASA1(outside), ASA2(outside), Border1(inside), Border2(inside) connected through switch
The main problem - is that i cannot make publishing of internal resources through two ISP
for example
on border1
ip nat inside source static 172.19.1.250 1.1.1.1 extendable
on border2
ip nat inside source static 172.19.1.250 2.2.2.2 extendable
Of cause with current configuration all reply`s from internel network to Internet go to Border1 (Border2 has a higher metric)
Then i make a equal cost, ASA will see two equal cost route paths to 0.0.0.0
Diagram (packet flow)
/------------ASA1-----------Boarder1-2821---------ISP1
---------switch-Core----------/ \ |
\------------ASA2 Boarder2-2821---------ISP2
Then Users from corporate network initiating connections, it`s all ok - load balancing working
But then connections initiates from outside to Border1 for example, reverse packet flow going from ASA to Border2
I solve this problem by implementing ip nat outside source on border routers ("labaleling" packets)
It`s not a good decision, because in a futere i planning to implement IDS on ASA and "viewing" not real IP adresses - not good
Please, help or give a advice how to implement nat source through 2 ISPs without implementing a nat outside source
Thanks
With best wishes, Vladimir
Xcuse for my English
Vladimir
Absolutely nothing wrong with your English at all
The solution you are using is the way to do it ie. NAT the incoming source addresses.
The only other thing i can think of is to use PBR on your core switch with the recursive next-hop feature (if it is supported). So traffic going from 172.19.1.250 to the internet has it's next-hop set to border1_2821 which would then send it back to the correct router.
Or could you implement PBR on border2_2821 on the inside interface so that any traffic coming in from 172.19.1.250 destined for the internet is sent back out to border1_2821.
Do you think either of these could work for you ?
Jon
01-25-2010 04:31 AM
Jon, nice to meet You
It`s a good solution, but
i need to recieve a traffic for inside host from two ISP at same time
I think, that only one working solution in my infrastructure is ip nat outside source(((((
Another solution is Multi-homed Internet access with BGP, but i don`t want to recieve ASN
Also it works on one router with two wan cards (one router - 2 ISP)
But i want to isolate hardware, software, link problems from one device (for example DOS attack kill router and two links at time)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide