Static configuration in ASA

Unanswered Question
May 3rd, 2010

Hi,

If we need to access single "inside" server (10.1.1.1/24) from two different static IP address from two different ISP2.

For example 10.1.1.1  --> IP1_from_ISP1

also             10.1.1.1 --> IP2_From_ISP2

This is to achieve ISP level redundancy.

Is it possible to have two "static" entries for ths same IP, I am not sure and most likely it is not possible.

Each ISP link is terminated on seperate router.  But we have only one firewall ( Active+ failover- logically single device). How can we go about this situation?  From each ISP we have a pool of 16 static IP address.
Do we need additional devices in between routers and firewall for source NAT or destination NAT before it hits the firewall outside interface.

What I feel is that we require to source_NAT and also Dest_NAT the packets coming from ISP2 before those reach the "outside" of firewall.

So for example packet reaching "outside" of  firewall from ISP2 router will have Destination IP same as that of packets those arriving from ISP1. This will work fine for our single static entry in firewall.  But now packets from ISP2 are also source_Nated or PATED before reaching the "outside" interface of firewall.

So when packets are coming back from Firewall packets with particular Destination IP will be routed to ISP2 routers remaining all will be sent to ISP1 router.

Here is ISP2 IP packets ( first NAT Device SAY R2 )

Source - 2.2.2.2

Destination - 3.3.3.3 ( internal server IP address from ISP2 persective  )

First change the Destination IP to from 3.3.3.3 to 20.20.20.20.  ( we have static entry for 20.20.20.20 to 10.1.1.1  Iinternal server IP -- on ASA )

In next devce packet will be ( Second NAT device  SAY R3)

source -- 2.2.2.2

destination - 20.20.20.20

here we change source IP  2.2.2.2  to 5.5.5.5 and forward the packet to outside of firewall

Sp packet on firewall outside --

source -- 5.5.5.5

target : 20.20.20.20

On firewall will return this packet it will ALWAYS have source as 20.20.20.20 and target as 5.5.5.5. Thus we can route this traffic to Device R3 which will send the pakcet back to R2 and then to ISP2 with corresponding NAT and PAT on each router.

For ISP1 it will there is no need for additional device inbetween router and firewall.

This seems to be very lenthy soluation

Any other soluation please share the experience.

Thanks

Subodh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Saurabh Kishore Wed, 05/19/2010 - 01:03

Hi Subodh,

Yes there is a much easier solution to this, via static polict NAT

supposing that the internal ip address of the host which should be accessible by 2 different ip address from outside is 192.168.1.1; create two access-lists on the firewall as follows:

access-list isp1 permit ip host 192.168.1.1 any

access-list isp2 permit ip host 192.168.1.1 any

now we can map this with two static NAT statements:

static (inside,outside)    access-list isp1

static (inside,outside)    access-list isp2

Along with this you will open the necessary ports on the outside access-list for both the external ip addresses. 

This would work. please follow this link if you didn't get my example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

please contact me for any further help.

Actions

This Discussion