Solved: Re: Static nat + dual isp

vannucchim · ‎10-18-2010

Hi,

i have a Cisco ASA 5520 with static nat for webserver. I

Is possible set the Asa 5520 with dual-isp + static nat for web server?

Regards

Alessio

Panos Kampanakis · ‎10-18-2010

No problem.

Please mark this one as solved, if it is, so that others can benefit in the future.

Rgs,

PK

View solution in original post

Panos Kampanakis · ‎10-18-2010

You can.

You can have 2 statics fo the 2 isp links. The will be

static (inside,isp1) zzz yyyy

static (inside,isp2) xxx yyyy

And of course you will need SLA monitoring to fall back between ISPs in case of failures.

I hope it helps,

PK

nseshan · ‎10-18-2010

Hi,

If i understand correctly, you want to have a static NAT on both your ISP's for that web server and also have dual ISP config ? Please correct me if i am wrong. If i am correct with the above problem description, then all you would need to do is to create a static NAT for the second ISP link but make sure that it is entered after the existing NAT statement for the primary ISP link. This is necessaryas the order of the static statements in the xlate table makes a difference.

Panos Kampanakis · ‎10-18-2010

You don't need them to be in order. The right static is going to be chosen based on route look.

For SLA monitoring you need http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml When ISP1 goes down ISP2 route will be used and the translations will be using the ISP2 static.,

Note that you will have one default route a t a time, but when one goes down the other is going to kick in.

I hope it makes sense.

PK

vannucchim · ‎10-18-2010

Thanks for your support, you were very helpful

Alessio

Panos Kampanakis · ‎10-18-2010

No problem.

Please mark this one as solved, if it is, so that others can benefit in the future.

Rgs,

PK

mirko.veselic · ‎10-21-2010

thanks for this nice trick. However, what happens if both links are up, and a client access web server via IP address of backup interface? What route will ASA use in this case? (Default route will point to ISP1, and client request will come through ISP2).

Panos Kampanakis · ‎10-21-2010

You have 2 routes. The high priority route is chose while it is up. You only fall back to the low priority when the primary is removed because it failed. So, if the high priority is up, it is preferred. Here is the guide that explains it http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I hope it is clear.

PK

mirko.veselic · ‎10-22-2010

Thanks for the answer, PK.

Unfortunately I wasn't clear enough. I was talking about outbound traffic from the server to the client (for example - server replying to client's request for web page). But your answer was clear. If both links are up, reply will go over default route (ISP1), not over the backup link (ISP2), right?

thanks again.

mirko

Panos Kampanakis · ‎10-22-2010

Yes.

To explain it better, if the inbound request is coming in ISP2 and ISP1 route is up the response will go out ISP1 and you will have asymmetric routing issues. In other words, you can't use ISP1 and 2 at the same time, ISP2 will be used only when 1 is down.

I hope it makes sense.

PK