10-18-2010 07:03 AM - edited 03-11-2019 11:55 AM
Hi,
i have a Cisco ASA 5520 with static nat for webserver. I
Is possible set the Asa 5520 with dual-isp + static nat for web server?
Regards
Alessio
Solved! Go to Solution.
10-18-2010 08:28 AM
No problem.
Please mark this one as solved, if it is, so that others can benefit in the future.
Rgs,
PK
10-18-2010 07:14 AM
You can.
You can have 2 statics fo the 2 isp links. The will be
static (inside,isp1) zzz yyyy
static (inside,isp2) xxx yyyy
And of course you will need SLA monitoring to fall back between ISPs in case of failures.
I hope it helps,
PK
10-18-2010 07:16 AM
Hi,
If i understand correctly, you want to have a static NAT on both your ISP's for that web server and also have dual ISP config ? Please correct me if i am wrong. If i am correct with the above problem description, then all you would need to do is to create a static NAT for the second ISP link but make sure that it is entered after the existing NAT statement for the primary ISP link. This is necessaryas the order of the static statements in the xlate table makes a difference.
10-18-2010 07:45 AM
You don't need them to be in order. The right static is going to be chosen based on route look.
For SLA monitoring you need http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml When ISP1 goes down ISP2 route will be used and the translations will be using the ISP2 static.,
Note that you will have one default route a t a time, but when one goes down the other is going to kick in.
I hope it makes sense.
PK
10-18-2010 08:14 AM
Thanks for your support, you were very helpful
Alessio
10-18-2010 08:28 AM
No problem.
Please mark this one as solved, if it is, so that others can benefit in the future.
Rgs,
PK
10-21-2010 01:37 PM
thanks for this nice trick. However, what happens if both links are up, and a client access web server via IP address of backup interface? What route will ASA use in this case? (Default route will point to ISP1, and client request will come through ISP2).
10-21-2010 02:38 PM
You have 2 routes. The high priority route is chose while it is up. You only fall back to the low priority when the primary is removed because it failed. So, if the high priority is up, it is preferred. Here is the guide that explains it http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
I hope it is clear.
PK
10-22-2010 12:20 AM
Thanks for the answer, PK.
Unfortunately I wasn't clear enough. I was talking about outbound traffic from the server to the client (for example - server replying to client's request for web page). But your answer was clear. If both links are up, reply will go over default route (ISP1), not over the backup link (ISP2), right?
thanks again.
mirko
10-22-2010 06:45 AM
Yes.
To explain it better, if the inbound request is coming in ISP2 and ISP1 route is up the response will go out ISP1 and you will have asymmetric routing issues. In other words, you can't use ISP1 and 2 at the same time, ISP2 will be used only when 1 is down.
I hope it makes sense.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide