I suspect this is relatively simple, but I'm brand new to the Cisco line (and to the forums), so my apologies if I'm unclear or in violation of forum etiquette.
I have an ASA5515 which will be using 2 external interfaces, and I need to make a single internal server available to the outside world on both interfaces. I can accomplish this easily for the main external interface (the faster circuit), but I'm running into issues getting connections through on the backup circuit. Here's the interface configuration:
ip address 10.177.188.22 255.255.255.248
ip address 10.131.225.158 255.255.255.240
ip address 192.168.2.250 255.255.255.0
I'd like outside (internet) users to be able to make an HTTP request on port 80 to 10.131.225.146, which comes in GigabitEthernet 0/1, gets translated to the internal web server at 192.168.2.1:80, and then any response traffic leaves GigabitEthernet 0/1, looking to the user like it originated form 10.131.225.146.
Additionally, I'd like the same user to be able to make an HTTP request on port 80 to 10.177.188.18, which comes in GigabitEthernet0/0, goes through the above translation, and then response packets exit via GigabitEthernet0/0.
I've been able to get most of the above working, but when working on the NAT rule for the backup side, packet-tracer tells me that my NAT is fine (it NATs the packet from 192.168.2.1:80 to 10.177.188.18:80, but it wants to then route that packet through the outside interface (GigabitEthernet0/1)
While I've been able to find many references to this on-line (such as this blog post), they all appear to be outdated, using pre-8.3 syntax.
I suspect I'm close on this, but I can't seem to get that last piece to make everything 'click'. Any help would be greatly appreciated.
Karsten, thank you for your quick response. I did have an opportunity to try the settings above and while they appeared to work for requests originating from a laptop acting as the gateway on the backup interface, I lost that connectivity when I connected that interface to the connection from our ISP and tried the same requests from a true, public IP.
I've currently got the server in question responding to requests from both public IPs through a combination of separate firewalls and segregated VLANs. I plan to make some DNS changes and let them propagate to get all traffic over to the outside interface, allowing me to play with the backup interface without taking services down.
I'll follow up once I have a little more freedom to do real testing.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :