we have to change the provider which includes an ip address change of our public ip addresses. In our DMZ we have a couple of server which needs to be accessible to the public. With the new provider i have change the nat addresses of those servers. My problem is due to dns resolution the servers needs to accessible for couple hours on both firewalls. I thought using tcp state bypass i will be able to have two public addresses for the servers. It works from LAN to DMZ because there is NAT exemption.
But on the public side i get the request from one firewall and the return traffic exits the other firewall so i have to different nat addresses and the syn ack is ignored on my client in the internet.
Is there any way to force the firewall sending the data back to the client to use the ip address of the firewall where the packets came in?
I would imagine you would have to resort to some sort of NAT for all the source hosts/clients that connect to the server.
What I mean you probably have a Static NAT configured for the server on both firewalls. You would then need to configure a Dynamic Policy PAT (or NAT) that would translate any public source IP address to some NAT IP address provided that destination of that traffic was the Static NAT IP address of the server.
This would essentially mean that any connection coming through either firewall would be NATed and the server would essentially see connections coming from that/those NAT IP address(es). This in turn would mean that the server would forward the return traffic through the firewall which owned that NAT IP address. (Provided the routing for those NAT IP address/networks was handled properly)
Other option might be having both ISP links on a single firewall which would mean the server would only have one gateway out of the network and the ASA should enable access TO the servers through either ISP link/interface on the firewall.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :