In a typical WAN scenario a WAN router would be connected to two Distribution Routers/Layer-3 switches for redundancy using routed (/30) Layer-3 links and be running an IGP (EIGRP or OSPF). If one of these links fails there is generally rapid failover and everything is happy...
If I replace this router for a PIX/ASA can I have this same scenario? i.e. two inside interfaces to the same internal networks?
Traffic from the same internal hosts could arrive on either 'inside' interface in the WAN router scenario due to equal-cost paths - is this possible with the PIX/ASA?
My understanding is the PIX creates state based on the source and destination interfaces and therefore allows the relevant traffic. If the sources traffic should arrive on different inside interfaces can this work?
The ASA's usually have 4 ports so you can configure two different inside interfaces. They would have to be on different subnets though.
The PIX usually have just one inside port and one outside port. In this case you would be forced to configure two sub-interfaces for the inside network (needing another device to split the VLAN traffic conveniently). Again, on different subnets.
All traffic that goes from a higher security level interface to a lower security itnerface is allowed by default.
I am not sure what is exactly that you need but I hope this helps somewhat.
I think you have misunderstood my scenario. I have an ASA with two /30 Inside interfaces (Inside-1 and Inside-2) and a single Outside interface. OSPF is running on both the inside interfaces and there are equal-cost routes both ways (i.e. ASA injects an E2 default route with the same metric to both OSPF neighbors, both OSPF neighbors advertise equal-cost routes to internal IP networks to the ASA).
This means traffic from an internal Host going through the ASA can arrive on either interface. Can this work?
I thought the ASA created state based on source/destination interfaces? If a converstation starts on Inside-1 and then due to routing the traffic moves and arrives on Inside-2 will it not confuse the ASA? This is the behaviour I think I am seeing. I haven't tested it too thoroughly yet as it's just in a Lab. Currently the 2nd Inside interface is disabled as traffic was intermittent with it enabled.
That wouldn't work. If traffic from Host A arrived on Inside-1 and was NAT'd to the Outside interface with address X. If Host A traffic then arrived on Inside-2 to go out it would get NAT's to address Y? This can't work as the external host would see two connections trying to be one.
I think I am going to have to adjust the routing so only one Inside interface is used and the 2nd Inside interface is a 'backup' with a high metric.
If you are looking for an HA solution, your best bet would be to get an Active/Active pair of PIX/ASA firewalls. 2 interfaces would NOT work, as you described above (traffic connection table issues). Using 2 PIX/ASA in an Active/Active solution would give you your redundancy and high availability.
This is all in a Lab so we can do whatever we want really... I was just trying to replicate what I would normally do with a router. Thanks for confirming my original thoughts - i.e. that it won't work. I'll play around with the routing and make the 2nd link a 'backup' using a high metric.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...