Using multiple outside interface on ASA 5520

Answered Question
Aug 23rd, 2010

Hi Moderator,

I have the following query with regards to Firewall.

1) Will global nat forward the traffic to respective gateways of ISP i.e Global ID 13, should always forward to 100.X.X.X and 14 should 200.X.X.X  through default route.

2) In the event of primary internet goes down, what are the challenges ? assuming i have ISP independent public IP pool.

Thanks in advance.

S Kumar

*********Config START************************************

interface Gi0/0
description Primary Internet
nameif outside
security-level 0
ip address 100.X.X.X 255.255.255.0
!
interface Gi0/1
description Secondary Internet
nameif outside-2
security-level 0
ip address 200.X.X.X 255.255.255.0

!
interface Gi0/2
description Corporate network
nameif INSIDE
security-level 100
ip address 10.10.10.1 255.255.255.0

route inside 10.10.20.0 255.255.255.0 10.10.10.10 1
route inside 10.10.30.0 255.255.255.0 10.10.10.10 1

!
global (outside) 13 100.X.X.X
global (outside) 14 200.X.X.X

nat (inside) 13 10.10.20.0 255.255.255.0
nat (inside) 14 10.10.30.0 255.255.255.0


route outside 0.0.0.0 0.0.0.0 100.X.X.X
route outside 0.0.0.0 0.0.0.0 200.X.X.X
************Config-END*********************************

Correct Answer by Kureli Sankar about 6 years 5 months ago

So long as the router can translate the ASA's outside interface statically (1-1) to a routable address, I don't see why not.

-KS

Correct Answer by Kureli Sankar about 6 years 5 months ago

Kumar,

You can use any IP address on the ASA to translate. An interface doesn't have to be configued on the ASA to be able to use the IP block for translation. You can just use a private ip subnet between the ASA and the Router.

Like I discussed on that previous thread, you can use ISP1 block one for all dynamic nat translations and use ISP2 block IP for all static nat translations - all on the ASA.  Then the router will look at the packet if it has source address provided by ISP1 (after translation from the ASA) then it will send the packet via ISP1 link and if the packets have the source address of ISP2 (after translation from the ASA) provided address then it will send the packets via ISP2 link. This can be configued using PBR - route maps and setting the next hop on the router.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kureli Sankar Mon, 08/23/2010 - 06:54

Kumar,

I believe you meant

route outside-2 0.0.0.0 0.0.0.0 200.X.X.X and not route outside 0.0.0.0 0.0.0.0 200.X.X.X

In either case the ASA can only load balance up to 3 default GW out the SAME interface not out diff. interfaces.

You need to do PBR (Policy Based Routing) using a Layer 3 device on the outside.

Pls. read this thread where I have answered this in the past: https://supportforums.cisco.com/message/894920

You can also do SLA route tracking: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

-KS

sk2317 Mon, 08/23/2010 - 07:15

Hi Kusankar,

Thanks for your reply and correction as follow.

route outside-2 0.0.0.0 0.0.0.0 200.X.X.X

I would like to load balance outbound traffic based on Global nat.

I.e Few vlans would use global nat 13 to forward traffic to OUTSIDE (interface)

and remaining vlan would use global nat 14 to forward traffic to OUTSIDE-2 (interface)

In the event of outage at primary ISP, both Global nat 13 and 14 should use the OUTSIDE-2 (interface)

Would this workout practically ?

Thanks

Kumar

Kureli Sankar Mon, 08/23/2010 - 07:21

Yes, only in the scenario that I mentioned on the thread link that I enclosed. Pls. read that. You cannot add two default routes on the ASA pointing to two diff. interface.  It does not work.

                                   Outside

                                     /

inside---ASA---Rourter/

               |                    \

            DMZ                 \

                                  Outside-2

-KS

sk2317 Mon, 08/23/2010 - 08:14

Thanks kusankar,

Since i have two different public pool, how will it accomadate two IP network between ASA <-----to------> Router ?

As, asa does not seems to support sub-interface, or secondary command.

Thanks,

Kumar

Correct Answer
Kureli Sankar Mon, 08/23/2010 - 08:24

Kumar,

You can use any IP address on the ASA to translate. An interface doesn't have to be configued on the ASA to be able to use the IP block for translation. You can just use a private ip subnet between the ASA and the Router.

Like I discussed on that previous thread, you can use ISP1 block one for all dynamic nat translations and use ISP2 block IP for all static nat translations - all on the ASA.  Then the router will look at the packet if it has source address provided by ISP1 (after translation from the ASA) then it will send the packet via ISP1 link and if the packets have the source address of ISP2 (after translation from the ASA) provided address then it will send the packets via ISP2 link. This can be configued using PBR - route maps and setting the next hop on the router.

-KS

sk2317 Mon, 08/23/2010 - 10:12

Hi Kusankar,

As said, having configured private IP between ASA and Router, Will i be able to terminate Site to Site VPN or Remote VPN on ASA ?

Thanks,

Kumar.

Correct Answer
Kureli Sankar Tue, 08/24/2010 - 05:13

So long as the router can translate the ASA's outside interface statically (1-1) to a routable address, I don't see why not.

-KS

Actions

This Discussion

Related Content