Unanswered Question
May 28th, 2010

Hi halijeen / pkampana / all

My customer has 2 router in front of ASA and each router connects to a separate ISP.  Each router has its own interface on Firewall and each interface belong to diff. public IP . Both the routers are running eBGP with their respective ISP’s. He's going to introduce an iBGP link between those routers.

He has IP SLA Configured for outbound Traffic traversing across Firewall (with nat and global), the issue us that do he need to mirror all firewall rules for each ISP on the firewall after he puts up BGP

2 ISP have 2 interface on FW, one is outside (ISP1)  other is backup (ISP2)

Consider he has a static(inside,outside) for ISP1 , do he need to go for a similar static for other ISP as well  i.e static(inside,backup) too ?Also do he need to have a replica of access-list with the ISP2 Public ip addresses as destination in them and applied to the backup interface ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 05/28/2010 - 06:11

Yes, you would also need to configure "static (inside,backup)" for ISP2 connection, and you would also need to apply access-list on the backup interface for inbound connection.

Do you own the public ip range, or it has been assigned by each ISP and you have 2 different sets of public ip range that you assign to each ISP connection to NAT?

If you NAT using your own public ip range, then I guess the ACL will always refer to the same public ip address, so you don't need to reconfigure the ACL.  You can just assign the same ACL to the backup interface.

If however, you are NATing to different range of public IP for each ISP, then you would need to manually configure the corresponding public ip ACL on ISP2 and apply it on the backup interface.

Hope that helps.


This Discussion