Please have a look at my diagram I've mentioned all required information
- We are using Microsoft TMG Firewall as a web proxy for our internal clients. Its has 2 NIC External connected to ASA and Internal connected to Switch.
- We are going to add a new ISP, now I want that proxy should route all the internet traffic to New R2_ISP2 as primary, if ISP2 fails he should automatically route to R1
- I want to keep R1 now for VPN Traffic and Inbound Services a nd as backup if R1_ISP2 fails for outbound internet traffic
Please help me to achieve and where R2_ISP2 should be connected in the diagram to achieve the above rule.
Please let me know if my question is not clear.
Thanks in advance
The problem you have is that you need to use PBR and the ASA does not support PBR.
I want to keep R1 now for VPN Traffic and Inbound Services a nd as backup if R1_ISP2 fails for outbound internet traffic
What do you mean by "inbound services" ?
The existing router and the new router, how many interfaces do they have ? If you could have a direct connection between the routers then you could use PBR on the routers but you would need 3 interfaces on each router.
An alternative if the routers only have a LAN and WAN interface is to use PBR to send the traffic back out the LAN interface to the other router. I have seen this work with some routers and not with others so it may or may not work.
What about NAT. Is the new ISP provding you with public addressing and if so how are you going to use it ?
Bear in mind that if you are using an existing public IP for your proxy server traffic could be sent oubound to either link with PBR but when it returns it will be routed on your existing connection because the IP belongs to your existing ISP.
This may or may not be what you want depending on what you mean by "inbound services".
Thanks for the reply.
I guess I am failing to ask the question properly.
Just to review my scenario and what I am looking for.
- I have Cisco ASA with 3 interfaces
Gi0/0 - Outside to R1_ISP1 Router
Gi0/1 - Inside to Internal Network
Gi0/2 - TMG Back to Back - Connected External interface of TMG
- ASA has now default route to R1 router
- I have Mulitlayer Layer switch inside network with different vlans. Switch has default route to ASA.
- I have TMG with 2 interfaces ( Internal and External). External NIC connected directly connected to ASA as mentioned above.
- Our users using Web Proxy to go internet ( http and https).
- I have 3 free inteterfaces on router
Now we purchased additional internet line dedicated only for Internal Web traffic. And keep previous ISP for VPN and Publishing Internal resources ( inbound services) meaning accessing email and other server from outside.
Right, so you want all internet access from your internal users to go via the new ISP.
If you have 3 interfaces on each router then you could use PBR on the routers for internet traffic. Basically you keep the default route on the ASA as is and you then use PBR on your existing router so that any traffic from your proxy is sent to the other router.
Do you have 3 intefaces on both routers ?
That would take care of outbound traffic to the internet. But the problem is inbound traffic. If the new ISP is giving you some new addressing if you want to route traffic via that ISP you would need to assign one of those new addresses to the proxy server ie. change it's public IP. Otherwise outbound traffic will go via the new ISP as described above but return traffic would still come in on your existing link.
So what is the state of the public addressing ? If you have provider independant addressing this would make it easier but if you don't like i say you may need to readdress the proxy server and this would also mean updating the ASA configuration for NAT and access-lists etc.
Right, so you want all internet access from your internal users to go via the new ISP. Yes
If you have 3 interfaces on each router then you could use PBR on the routers for internet traffic. Basically you keep the default route on the ASA as is and you then use PBR on your existing router so that any traffic from your proxy is sent to the other router. How can I configured that ? Moreover, I dont have free interface on Cisco ASA. So I will need to terminate both ISP's on the same router.
For inboound traffic, I want to keep with ISP1.
I have been given 4 IP addresses from the new ISP.
An alternative to readdressing the proxy server may be to NAT it again on the new router as it goes out ie.
proxy server (private IP) -> ASA (proxy server existing public IP) -> existing router -> PBR -> new router (proxy server new public IP).
I didn't got by that.
I have found this link which could help me. But the IP addressing I didn't understand
That document is primarily concerned with a backup link but you want to use both links at the same time.
If you terminate both ISPs onto the same router it makes the PBR config a lot easier. But then the router is a single point of failure. So it's a choice to be made. If you only have one firewall as well then that is also a single point of failure.
It could be done with a router per ISP but it is more complicated.
In terms of the addressing. The existing ISP (ISP1) has allocated you public IPs. One of these is presumably being used for the proxy server. So traffic coming from the internet to the proxy server is routed via ISP1s network.
If you want the proxy server to use the new ISP (ISP2) if you don't change the address either by readdressing the proxy server (and modifying the ASA config) or by doing NAT twice then traffic going out to internet from the proxy server would go via ISP2 but because the proxy server is using an IP assigned by ISP1 it is routed back via ISP1s network ie. on the existing link.
That is why you need to change the proxy server IP address.
You do not need another interface on the ASA. You do need to decide whether you are going to terminate the second ISP into the same router or use another one. If you terminate onto the same router, as i say, it would be easier but you need to make sure your router can handle the bandwidth of both ISP links.
It's also important to note that because R1 is doing the PBR if R1 fails then so does proxy traffic. You could use route tracking on the ASA but as you can see things are going to get more complicated.
Yes you are right?Router can be single point of failure.
For ASA, I have requested additional for Active/standby failover.
So, please can help with config to terminate ISP on different routers and let proxy go through ISP2 and then to ISP1, if ISP2 goes down.
Currently on ASA I have global nat oustide to ISP and for proxy server I have dynamic NAT to outside interface of ASA.
This is a bit complicated design and not sure if this has grown accidently over the time or someone really designed it well enough keeping future requirements in mind. Nevertheless, I agree with Jon on few of the points he has made and you do not want to over compicate it.
The easiest solution for this would to put a Layer-3 switch like 3750 between the routers and ASA. Move your NAT config to both the routers and let the 3750 switch do the PBR for your traffic towards the WAN. You can match the traffic on 3750 depending upon the IP, port number and then have the R2 primary for Web internet traffic and R1 primary for other traffic.
Hope this helps.