12-17-2011 06:13 AM - edited 03-11-2019 03:03 PM
Hi,
Background - I have a ASA which is connected with 2 internet service providers. Both providers have their respective public IP addresses configured to two different physical interfaces. I NAT the Inside zone proxy to one of the provider interface for browsing purpose.
Requirement - There should be a automatic switchover of proxy from one provider to another when the configured NAT provider fails.
I have gone through the following page http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
As per this configuration, what I understand is that users will have to reastablish the session because PAT address will change to that of backup interface and rntries in state table will be of no use as diffrent global address will come into picture.
Is my understand correct? If it is correct what is a solution to this problem.
Also in real world if take 20.20.20.0/28 subnet from ISP1 can I use the IP's from same subnet to assign address to interface connecting to Backup ISP?
Sorry in advance if I am not clear with my question
Thanks in advance
Cheers
Solved! Go to Solution.
12-17-2011 06:42 AM
Frist of all you can not use subnet provided by oneISP and routed by another. For this purpose only BGP comes which is not supported on ASA.
In link mentioned by you yes sessions need to re-establish once there is failure on primary link.
we have mentioned match any 0.0.0.0 from inside means whoever primary or backup is forwarding traffic with PAT will be using the interfce IP of ISP.
Thanks
Ajay
12-17-2011 12:37 PM
To add to Ajay's correct posting - even if you had an external router to handle the BGP and the agreement from the provider who has assigned you your /28, you could not use the first provider's assigned netblock with a second provider since it is smaller than a /24 - the smallest allowed portable block.
If you were to acquire a provider-independent /24 assigned directly to you from your provider or RIR (ARIN, RIPE, APNIC, etc.) you could potentially use that (still requiring an external router). However it is unlikely that you could get a new one assigned since the /28 suffices for your hosts at this point.
As you describe it now, if you lose a provider, you will lose all your sessions, even under best practices and best possible configuration scenario.
One alternative may be to inquire about redundant service from your preferred provider. Depending on your location's service options, this may be possible. You would be to be diligent in ensuring that the redundancy is adequate to protect your connectivity (e.g., different upstream devices, diverse connections into your building, etc.) In such a service scenario, your provider may be able to retain your IP space and managing routing to you dynamically.
Hope this helps.
12-17-2011 06:42 AM
Frist of all you can not use subnet provided by oneISP and routed by another. For this purpose only BGP comes which is not supported on ASA.
In link mentioned by you yes sessions need to re-establish once there is failure on primary link.
we have mentioned match any 0.0.0.0 from inside means whoever primary or backup is forwarding traffic with PAT will be using the interfce IP of ISP.
Thanks
Ajay
12-17-2011 12:37 PM
To add to Ajay's correct posting - even if you had an external router to handle the BGP and the agreement from the provider who has assigned you your /28, you could not use the first provider's assigned netblock with a second provider since it is smaller than a /24 - the smallest allowed portable block.
If you were to acquire a provider-independent /24 assigned directly to you from your provider or RIR (ARIN, RIPE, APNIC, etc.) you could potentially use that (still requiring an external router). However it is unlikely that you could get a new one assigned since the /28 suffices for your hosts at this point.
As you describe it now, if you lose a provider, you will lose all your sessions, even under best practices and best possible configuration scenario.
One alternative may be to inquire about redundant service from your preferred provider. Depending on your location's service options, this may be possible. You would be to be diligent in ensuring that the redundancy is adequate to protect your connectivity (e.g., different upstream devices, diverse connections into your building, etc.) In such a service scenario, your provider may be able to retain your IP space and managing routing to you dynamically.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide