10-30-2014 08:42 AM - edited 03-11-2019 10:00 PM
Hello
See diagram for topology
Currently I have a single Internet link. Natting is done in my ASA 5520.
I am moving to a Dual internet link.
Natting will be done in the ASA 5545 x on the side labeled Site_1 for internal DMZ servers (services)
The natted subnet range will be advertised out both Site_1 and Site_2 internet links via BGP
AS Path pre-pending will be used on the Site_2 to make Site_1 more preferred path
My ASR's have HSRP across the DMZ trunk between the sites and fail over has been tested and verified.
Goal: - "No single point of failure"
Problem requiring a solution: Alternate Natting on Site_1 ASA
IF Internet goes down but ASA remains up at Site_1
natting still occurs
HSRP will failover and we are good to go
Traffic will cross the DMZ link between the switches
Traffic going out will be secured by the HSRP config
If the DMZ switch at Site_1 is lost
Then outside interface of the ASA at Site_1 is also lost
-Natting can still occur but traffic will have to be sent across the L3 link between the NEXUS devices.
Natted ip’s are then sent back into Nexus for routing across the Nexus L3?? This does not sound correct!!
-EIGRP statement in ASA @ Site_1, (Network Natted subnet 170.x.203.0) will advertise down to the Nexus at Site_1.
-EIGRP on Nexus @ Site_1 will advertise the 170.x.203.0 network to Nexus @ Site_2.
-Nexus at Site_2 will advertise this up the Site_2 ASA
IF ASA at Site_1 is completely lost, both Pri and Secondary
How would internal services living at Site_1 get natted at all?
-IPSLA statement in Nexus to redirect.
IPSla will monitor the outside ip address of the Local ASA. If that ip address is no longer accessible,
then use L3 ip address of neighbor Nexus.
IS there a way to have an alternate NAT, secondary NAT solution on the Site_2 ASA that will still be recognized by external user's?
Is there a way to account for Business partners who have firewall rules allowing our curretn natted subnet?
Basically If the DMZ subnet 172.x.x.x ip addresses, that currently reside on the Site_1 Nexus come into the Site_2 ASA,
then they will be natted to 170.x.x?
Is it possible to have "weighted" natting on seperate ASA's for the same external subnet?
10-31-2014 06:31 AM
Does anyone have any guidance on this complex design scenario?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide