ip inspect name FW tcp ip inspect name FW udp ip inspect name FW icmp ip inspect name FW http ip inspect name FW https ip inspect name FW dns ip inspect name FW esmtp ip inspect name FW pop3 ip inspect name FW imap ip inspect name FW bootpc ip inspect name FW bootps ip inspect name FW ms-sql ip inspect name FW ftp ip inspect name FW ipsec-msft ip inspect name FW isakmp
ip address 22.214.171.124 255.255.255.240
ip nat outside ip inspect FW in
ip inspect FW out
ip access-group METRO_IN
description SECONDARY_ISP ip address 126.96.36.199 255.255.255.240 ip nat outside ip inspect FW in
ip inspect FW out
ip access-group ACL_GSHDSL_IN
interface FastEthernet0/0/0 ip address 192.168.100.6 255.255.255.0 ip nat inside
ip inspect FW in
ip inspect FW out standby 1 ip 192.168.100.5 standby 1 priority 115 standby 1 preempt standby 1 track GigabitEthernet0/1 5 standby 1 track GigabitEthernet0/0 5
ip nat inside source static 192.168.2.175 188.8.131.52 ip nat inside source static 192.168.2.177 184.108.40.206 ip nat inside source static 192.168.2.178 220.127.116.11 ip nat inside source static 192.168.2.179 18.104.22.168
ip nat inside source static 192.168.2.75 22.214.171.124 ip nat inside source static 192.168.2.77 126.96.36.199 ip nat inside source static 192.168.2.78 188.8.131.52 ip nat inside source static 192.168.2.79 184.108.40.206
ip nat inside source route-map METRO interface GigabitEthernet0/1 overload ip nat inside source route-map SHDSL interface GigabitEthernet0/0 overload
route-map METRO permit 10 match ip address ACL_METRO match interface GigabitEthernet0/1
route-map SHDSL permit 10 match ip address ACL_SHDSL match interface GigabitEthernet0/0
ip access-list extended ACL_METRO permit ip 192.168.1.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any
ip access-list extended ACL_SHDSL permit ip 192.168.1.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any
ip sla 1 icmp-echo 220.127.116.11 threshold 2000 frequency 5 ip sla schedule 1 life forever start-time now
ip sla 3 icmp-echo 18.104.22.168 threshold 2000 frequency 5 ip sla schedule 3 life forever start-time now
track 100 ip sla 1 reachability track 300 ip sla 3 reachability
ip route 0.0.0.0 0.0.0.0 22.214.171.124 10 track 100 ip route 0.0.0.0 0.0.0.0 126.96.36.199 20 track 300
I'm not sure why the inspection works only if I applied both inbound and outbound on the same interface.
Actually, I don't intend to inspect the incoming traffic from the Internet, only the outbound traffic.... but if I only apply the inspection in one direction, it won't work (not sure if it's a bug or something).......
That's a good point that I need to figure out.... besides that... do you think that having the inspection for the two ISP connections could be causing the problem for the incoming traffic?
I think I've found the problem (not 100% sure yet)....
Traffic to the Internet is working fine throught the HSRP active router (either the primary or secondary).
But, incoming traffic from the Internet to the servers was the problem.
So, I started to see a lot of duplicate IP addresses messages on both routers (there are no duplicate addresses).....
What is happening is that, traffic coming from the Internet could enter either router to reach the servers.... For instance, I have the following static NAT on both routers:
Router(config)# ip nat inside source static 192.168.2.175 188.8.131.52
So, when clients from the Internet try to reach that server, they can reach it via both routers..... I'm not running BGP with my ISPs or controlling how the traffic enters the network (solely based on DNS). Since both routers have the same static NAT (even though one is the active HSRP one), traffic could enter via both routers.
And there's my problem. As soon as I removed the static NAT statements from the secondary router, everything works perfectly on the primary one.
My question then is..... how do I get to have two routers receiving two ISPs (having one as active HSRP) but controlling how the incoming traffic is handled? Or perhaps not controlling the incoming traffic? But how do I make this work?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...