If we need to access single "inside" server (10.1.1.1/24) from two different static IP address from two different ISP2.
For example 10.1.1.1 --> IP1_from_ISP1
also 10.1.1.1 --> IP2_From_ISP2
This is to achieve ISP level redundancy.
Is it possible to have two "static" entries for ths same IP, I am not sure and most likely it is not possible.
Each ISP link is terminated on seperate router. But we have only one firewall ( Active+ failover- logically single device). How can we go about this situation? From each ISP we have a pool of 16 static IP address. Do we need additional devices in between routers and firewall for source NAT or destination NAT before it hits the firewall outside interface.
What I feel is that we require to source_NAT and also Dest_NAT the packets coming from ISP2 before those reach the "outside" of firewall.
So for example packet reaching "outside" of firewall from ISP2 router will have Destination IP same as that of packets those arriving from ISP1. This will work fine for our single static entry in firewall. But now packets from ISP2 are also source_Nated or PATED before reaching the "outside" interface of firewall.
So when packets are coming back from Firewall packets with particular Destination IP will be routed to ISP2 routers remaining all will be sent to ISP1 router.
Here is ISP2 IP packets ( first NAT Device SAY R2 )
Source - 220.127.116.11
Destination - 18.104.22.168 ( internal server IP address from ISP2 persective )
First change the Destination IP to from 22.214.171.124 to 126.96.36.199. ( we have static entry for 188.8.131.52 to 10.1.1.1 Iinternal server IP -- on ASA )
In next devce packet will be ( Second NAT device SAY R3)
source -- 184.108.40.206
destination - 220.127.116.11
here we change source IP 18.104.22.168 to 22.214.171.124 and forward the packet to outside of firewall
Sp packet on firewall outside --
source -- 126.96.36.199
target : 188.8.131.52
On firewall will return this packet it will ALWAYS have source as 184.108.40.206 and target as 220.127.116.11. Thus we can route this traffic to Device R3 which will send the pakcet back to R2 and then to ISP2 with corresponding NAT and PAT on each router.
For ISP1 it will there is no need for additional device inbetween router and firewall.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...