Cisco ASA dual ISP

Ashley Sahonta · ‎08-28-2013

Hi,

I have a scenario where a customer is looking at two ASAs in active/standby and using two ISPs, each with different subnets. ISP A is used as the default route out to internet and ISP B is used as a backup, however traffic is still able to come from outside to inside from ISP B

What I want to confirm is that, if traffic is initiated from the outside from ISP B to inside, will the connection table know that the return traffic should go back out through ISP B or will the return traffic use the default route out through IPS A?

Thanks,

Ash

Karsten Iwen · ‎08-28-2013

That will work. You can use incoming (!) connections through the backup ISP. Outgoing connections can also work with dirty tweeks in NAT, but I wouldn't use that. But incoming is ok.

Sent from Cisco Technical Support iPad App

Ashley Sahonta · ‎08-28-2013

Are you saying that incoming traffic from the backup ISP will go back out the backup ISP interface?

Do you know of any cisco docs that will confirm this?

Sent from Cisco Technical Support iPhone App

Karsten Iwen · ‎08-28-2013

Are you saying that incoming traffic from the backup ISP will go back out the backup ISP interface?

Yes, at least if you NAT your traffic as the translation-decision comes before routing.

Do you know of any cisco docs that will confirm this?

Not directly. It could be read from the order-of-operation documentation. And I use it that way on different deployments. You could also search the forum, that topic shows up from time to time.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Jouni Forss · ‎08-28-2013

Hi,

The Configuration Guide lists some information related to the routing decision

Most of it mentions only the part where an inbound connection to an IP address that has a NAT configuration is forwarded according to the NAT configuration.

The last section would to my understanding mean that the NAT configuration determines that the return traffic is also forwarded correctly.

For outbound connections for the same host to my understanding the routing table would be referenced for forwarding decision as there is no NAT for the destination addresses (presumably) which would affect the situation.

 Egress Interface Selection Process 

 The selection process follows these steps: 

  1. If  a destination IP translating XLATE already exists, the egress interface  for the packet is determined from the XLATE table, but not from the  routing table. 

  2. If  a destination IP translating XLATE does not exist, but a matching  static translation exists, then the egress interface is determined from  the static route and an XLATE is created, and the routing table is not  used. 

  3. If  a destination IP translating XLATE does not exist and no matching  static translation exists, the packet is not destination IP translated.  The ASA processes this packet by looking up the route to select the  egress interface, then source IP translation is performed (if  necessary). 

 For regular dynamic outbound NAT, initial outgoing packets are routed  using the route table and then creating the XLATE. Incoming return  packets are forwarded using existing XLATE only. For static NAT,  destination translated incoming packets are always forwarded using  existing XLATE or static translation rules.

- Jouni

Ashley Sahonta · ‎08-29-2013

Could you link me to the section of the configuration guide that states this?

Jouni Forss · ‎08-29-2013

Hi,

If you mean the section I mentioned above then that can be found here for example

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1095679

I think I will lab this today after work just to confirm this behaviour as I have never had the need to configure 2 ISP links on the ASA directly. I have always used separate routers.

- Jouni