ASA and ISA NLB (different inbound/outbound local IPs)
Here's the logical topology:
(The diagram doesn't appear correctly in the forum: ASA has three interfaces (outside, nlb, primary); ISA has two interfaces (isa nlb, isa primary); isa nlb is connected to ASA nlb; isa primary is connected to ASA primary.)
We want to use the NLB NIC (using a VIP) for inbound request only and utilize the other "Primary" NIC for outbound traffic (ISA-initiated as well as return traffic) - this is the NLB setup recommended by Microsoft. Thus, the Primary NIC has higher priority (lower metric) than the NLB NIC on the host. The problem would be the NAT/PAT on the ASA. Would something like this be possible?
!--- For outbound
access-list policy_nat1 extended permit ip host 192.168.3.21 any
What I am curious about is how ASA would interpret the return traffic from the host. For inbound, xlate would've been setup between the ASA's outside address and the NLB, but the return traffic would have the Primary NIC's address as the source due to the lower metric. My initial thought was that this would not work, but I currently don't have management access to the ASA and can't test the scenario.
Re: ASA and ISA NLB (different inbound/outbound local IPs)
Network Load Balancing allows using multiple servers for failover and load balancing. The balancing occurs at the Nic on the server. On the servers, you assign a unique IP to the Nic and the web site on each server. Then you configure the Nic to use NLB. Once you do that, it creates an arbitrary MAC address which is assigned an IP address which represents both servers. It is that address that is Nat'ed at the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...