ASA in active/standby mode with dual ISPs in active active topology
Hello, I have the following topology - 2x ASA5525-X in active/standby with dual ISPs and under normal conditions I want to send guest traffic out ISP1 and Corp out ISP2. I am proposing to use a port channel between the ASA outside interface and the DMZ switch which will carry vlans 10 and 20 which will connect to ISP1 and ISP2. I will use SVI interfaces on the ASA. This way I believe I can have 2x equal cost default routes, 1 to each ISP and do some round robin loadbalancing of outbound traffic, is that correct? Since I am using 1 single physical interface?
If I NAT the guest subnet to a public IP address from ISP1 then this, by the default behaviour, will force traffic to use ISP1 interface for outbound traffic and return traffic should naturally flow back via ISP1 since the source is a public address from this ISP.
My question is how would the ASA handle this in a failure situation if ISP1 went down? Is there a way to have a second NAT statement that NATs the guest subnet to a public address from ISP2 in the event of ISP1 going down? Or if not how can failover be achieved with this design?
Fyi we have no Provider Independent address space to work with.
Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x) and NAT them to ISP2?
My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
In my design, I will be creating a port channel on the ASA with interfaces 0/1 and /02 members. this will connect to the DMZ switch. The port channel will carry Vlan 10 and 20. Vlan 10 will connect to ISP1 and Vlan 20 to ISP2. I will create SVIs, 10 and 20 on the ASA and assign them a public IP from each ISP. So int vlan 10 will be ISP1 public_ip and int vlan 20 will be ISP2 public_ip.
I have will have 2x default routes with same cost. I believe this works since they are connected to the same physical interfaces?
So would the EEM script work if the same physical interface is being used for both ISPs? Or can we remove default route if IPSLA stops working for ISP1 and tell the ASA to now route all traffic out via ISP2 (using the routing table rather than NAT to decide)..
Hi, yes I am hoping to achieve redundancy but I am not sure how I can achieve that. Is there any option to track ISP1 and if it fails use a secondary policy NAT for guests which will NAT to the ISP2 address space?
Or if the ISP1 went down, can the ASA decide to use the routing table to chose the egress interface rather than being influenced by the NAT statement? This way traffic will be routed out via ISP2 since the default route to ISP1 will be removed due tracking and IPSLA..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...