Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA 5520 Redundant Links Inbound/Outbound

Reply
Thread Tools

ASA 5520 Redundant Links Inbound/Outbound

 
 
Nick Your Company Computer Guy
Guest
Posts: n/a
 
      03-29-2007
Ok here's what I want to do but I'm not exactly sure how to do it thus
far. On our ASA 5520 we have two "Outside" interfaces that come from
separate ISP's and we have multiple statics available from both of
those ISP's. I have a DMZ and INSIDE interface also. The webserver and
two DNS servers are located in the DMZ. Our Exchange server is on the
inside network for obvious reasons. I want to have one IP from each
ISP nat'd to the exchange server and webserver. Please assume I have
followed this document for my primary/backup ISP setup
http://www.cisco.com/en/US/products/...806e880b.shtml
I would like to keep my current setup for failover of outbound traffic
in the event of a failure and add inbound access from both ISP's.
Thanks for any suggestions.

 
Reply With Quote
 
 
 
 
Brian V
Guest
Posts: n/a
 
      03-29-2007

"Nick Your Company Computer Guy" <(E-Mail Removed)>
wrote in message
news:(E-Mail Removed) oups.com...
> Ok here's what I want to do but I'm not exactly sure how to do it thus
> far. On our ASA 5520 we have two "Outside" interfaces that come from
> separate ISP's and we have multiple statics available from both of
> those ISP's. I have a DMZ and INSIDE interface also. The webserver and
> two DNS servers are located in the DMZ. Our Exchange server is on the
> inside network for obvious reasons. I want to have one IP from each
> ISP nat'd to the exchange server and webserver. Please assume I have
> followed this document for my primary/backup ISP setup
> http://www.cisco.com/en/US/products/...806e880b.shtml
> I would like to keep my current setup for failover of outbound traffic
> in the event of a failure and add inbound access from both ISP's.
> Thanks for any suggestions.
>


you do it the same way your primary nat is.

static (inside,outside) <public ISP1> <exchange private> netmask
255.255.255.255
static (inside,outside2) <public ISP2> <exchange private> netmask
255.255.255.255

dont forget to apply the acl on the outside2 interface as well.


 
Reply With Quote
 
 
 
 
Nick Your Company Computer Guy
Guest
Posts: n/a
 
      03-29-2007
On Mar 28, 9:42 pm, "Brian V" <(E-Mail Removed)> wrote:
> "Nick Your Company Computer Guy" <(E-Mail Removed)>
> wrote in messagenews:(E-Mail Removed) ooglegroups.com...
>
> > Ok here's what I want to do but I'm not exactly sure how to do it thus
> > far. On our ASA 5520 we have two "Outside" interfaces that come from
> > separate ISP's and we have multiple statics available from both of
> > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
> > two DNS servers are located in the DMZ. Our Exchange server is on the
> > inside network for obvious reasons. I want to have one IP from each
> > ISP nat'd to the exchange server and webserver. Please assume I have
> > followed this document for my primary/backup ISP setup
> >http://www.cisco.com/en/US/products/...roducts_config...
> > I would like to keep my current setup for failover of outbound traffic
> > in the event of a failure and add inbound access from both ISP's.
> > Thanks for any suggestions.

>
> you do it the same way your primary nat is.
>
> static (inside,outside) <public ISP1> <exchange private> netmask
> 255.255.255.255
> static (inside,outside2) <public ISP2> <exchange private> netmask
> 255.255.255.255
>
> dont forget to apply the acl on the outside2 interface as well.


Thanks Brian I'll give it a go in the Lab environment.

 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      03-29-2007

"Nick Your Company Computer Guy" <(E-Mail Removed)>
wrote in message
news:(E-Mail Removed) ups.com...
> On Mar 28, 9:42 pm, "Brian V" <(E-Mail Removed)> wrote:
>> "Nick Your Company Computer Guy" <(E-Mail Removed)>
>> wrote in
>> messagenews:(E-Mail Removed) ooglegroups.com...
>>
>> > Ok here's what I want to do but I'm not exactly sure how to do it thus
>> > far. On our ASA 5520 we have two "Outside" interfaces that come from
>> > separate ISP's and we have multiple statics available from both of
>> > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
>> > two DNS servers are located in the DMZ. Our Exchange server is on the
>> > inside network for obvious reasons. I want to have one IP from each
>> > ISP nat'd to the exchange server and webserver. Please assume I have
>> > followed this document for my primary/backup ISP setup
>> >http://www.cisco.com/en/US/products/...roducts_config...
>> > I would like to keep my current setup for failover of outbound traffic
>> > in the event of a failure and add inbound access from both ISP's.
>> > Thanks for any suggestions.

>>
>> you do it the same way your primary nat is.
>>
>> static (inside,outside) <public ISP1> <exchange private> netmask
>> 255.255.255.255
>> static (inside,outside2) <public ISP2> <exchange private> netmask
>> 255.255.255.255
>>
>> dont forget to apply the acl on the outside2 interface as well.

>
> Thanks Brian I'll give it a go in the Lab environment.
>


Very welcome, this feature works flawlessly. So far we've got atleast
2-3dozen customers up on it. Using the ISP failover feature in conjunction
with a service such as dnsmadeeasy.com gives the customers full isp
redundency for very very short money. Also, don't forget, you need a way to
dynamically update the DNS in the event of an ISP failure, thats where
companies like dnsmadeeasy come in.


 
Reply With Quote
 
Nick Your Company Computer Guy
Guest
Posts: n/a
 
      04-03-2007
On Mar 29, 7:39 am, "Brian V" <(E-Mail Removed)> wrote:
> "Nick Your Company Computer Guy" <(E-Mail Removed)>
> wrote in messagenews:(E-Mail Removed) oglegroups.com...
>
>
>
>
>
> > On Mar 28, 9:42 pm, "Brian V" <(E-Mail Removed)> wrote:
> >> "Nick Your Company Computer Guy" <(E-Mail Removed)>
> >> wrote in
> >> messagenews:(E-Mail Removed) ooglegroups.com...

>
> >> > Ok here's what I want to do but I'm not exactly sure how to do it thus
> >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
> >> > separate ISP's and we have multiple statics available from both of
> >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
> >> > two DNS servers are located in the DMZ. Our Exchange server is on the
> >> > inside network for obvious reasons. I want to have one IP from each
> >> > ISP nat'd to the exchange server and webserver. Please assume I have
> >> > followed this document for my primary/backup ISP setup
> >> >http://www.cisco.com/en/US/products/...roducts_config...
> >> > I would like to keep my current setup for failover of outbound traffic
> >> > in the event of a failure and add inbound access from both ISP's.
> >> > Thanks for any suggestions.

>
> >> you do it the same way your primary nat is.

>
> >> static (inside,outside) <public ISP1> <exchange private> netmask
> >> 255.255.255.255
> >> static (inside,outside2) <public ISP2> <exchange private> netmask
> >> 255.255.255.255

>
> >> dont forget to apply the acl on the outside2 interface as well.

>
> > Thanks Brian I'll give it a go in the Lab environment.

>
> Very welcome, this feature works flawlessly. So far we've got atleast
> 2-3dozen customers up on it. Using the ISP failover feature in conjunction
> with a service such as dnsmadeeasy.com gives the customers full isp
> redundency for very very short money. Also, don't forget, you need a way to
> dynamically update the DNS in the event of an ISP failure, thats where
> companies like dnsmadeeasy come in.- Hide quoted text -
>
> - Show quoted text -


Brian, in this scenario what happens if traffic comes in one
connection on the ASA and the server sends out a response? will it go
out the default gateway which is the primary connection at the time or
will it go out the way it came in? Thanks.

 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      04-03-2007

"Nick Your Company Computer Guy" <(E-Mail Removed)>
wrote in message
news:(E-Mail Removed) oups.com...
> On Mar 29, 7:39 am, "Brian V" <(E-Mail Removed)> wrote:
>> "Nick Your Company Computer Guy" <(E-Mail Removed)>
>> wrote in
>> messagenews:(E-Mail Removed) oglegroups.com...
>>
>>
>>
>>
>>
>> > On Mar 28, 9:42 pm, "Brian V" <(E-Mail Removed)> wrote:
>> >> "Nick Your Company Computer Guy"
>> >> <(E-Mail Removed)>
>> >> wrote in
>> >> messagenews:(E-Mail Removed) ooglegroups.com...

>>
>> >> > Ok here's what I want to do but I'm not exactly sure how to do it
>> >> > thus
>> >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
>> >> > separate ISP's and we have multiple statics available from both of
>> >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver
>> >> > and
>> >> > two DNS servers are located in the DMZ. Our Exchange server is on
>> >> > the
>> >> > inside network for obvious reasons. I want to have one IP from each
>> >> > ISP nat'd to the exchange server and webserver. Please assume I have
>> >> > followed this document for my primary/backup ISP setup
>> >> >http://www.cisco.com/en/US/products/...roducts_config...
>> >> > I would like to keep my current setup for failover of outbound
>> >> > traffic
>> >> > in the event of a failure and add inbound access from both ISP's.
>> >> > Thanks for any suggestions.

>>
>> >> you do it the same way your primary nat is.

>>
>> >> static (inside,outside) <public ISP1> <exchange private> netmask
>> >> 255.255.255.255
>> >> static (inside,outside2) <public ISP2> <exchange private> netmask
>> >> 255.255.255.255

>>
>> >> dont forget to apply the acl on the outside2 interface as well.

>>
>> > Thanks Brian I'll give it a go in the Lab environment.

>>
>> Very welcome, this feature works flawlessly. So far we've got atleast
>> 2-3dozen customers up on it. Using the ISP failover feature in
>> conjunction
>> with a service such as dnsmadeeasy.com gives the customers full isp
>> redundency for very very short money. Also, don't forget, you need a way
>> to
>> dynamically update the DNS in the event of an ISP failure, thats where
>> companies like dnsmadeeasy come in.- Hide quoted text -
>>
>> - Show quoted text -

>
> Brian, in this scenario what happens if traffic comes in one
> connection on the ASA and the server sends out a response? will it go
> out the default gateway which is the primary connection at the time or
> will it go out the way it came in? Thanks.
>


Correct, it will be asymentrical routing...in one pipe, out the other. Will
**** off a lot of things since a different IP will be replying.


 
Reply With Quote
 
Nick Your Company Computer Guy
Guest
Posts: n/a
 
      04-03-2007
On Apr 3, 1:22 pm, "Brian V" <(E-Mail Removed)> wrote:
> "Nick Your Company Computer Guy" <(E-Mail Removed)>
> wrote in messagenews:(E-Mail Removed) ooglegroups.com...
>
>
>
>
>
> > On Mar 29, 7:39 am, "Brian V" <(E-Mail Removed)> wrote:
> >> "Nick Your Company Computer Guy" <(E-Mail Removed)>
> >> wrote in
> >> messagenews:(E-Mail Removed) oglegroups.com...

>
> >> > On Mar 28, 9:42 pm, "Brian V" <(E-Mail Removed)> wrote:
> >> >> "Nick Your Company Computer Guy"
> >> >> <(E-Mail Removed)>
> >> >> wrote in
> >> >> messagenews:(E-Mail Removed) ooglegroups.com...

>
> >> >> > Ok here's what I want to do but I'm not exactly sure how to do it
> >> >> > thus
> >> >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
> >> >> > separate ISP's and we have multiple statics available from both of
> >> >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver
> >> >> > and
> >> >> > two DNS servers are located in the DMZ. Our Exchange server is on
> >> >> > the
> >> >> > inside network for obvious reasons. I want to have one IP from each
> >> >> > ISP nat'd to the exchange server and webserver. Please assume I have
> >> >> > followed this document for my primary/backup ISP setup
> >> >> >http://www.cisco.com/en/US/products/...roducts_config...
> >> >> > I would like to keep my current setup for failover of outbound
> >> >> > traffic
> >> >> > in the event of a failure and add inbound access from both ISP's.
> >> >> > Thanks for any suggestions.

>
> >> >> you do it the same way your primary nat is.

>
> >> >> static (inside,outside) <public ISP1> <exchange private> netmask
> >> >> 255.255.255.255
> >> >> static (inside,outside2) <public ISP2> <exchange private> netmask
> >> >> 255.255.255.255

>
> >> >> dont forget to apply the acl on the outside2 interface as well.

>
> >> > Thanks Brian I'll give it a go in the Lab environment.

>
> >> Very welcome, this feature works flawlessly. So far we've got atleast
> >> 2-3dozen customers up on it. Using the ISP failover feature in
> >> conjunction
> >> with a service such as dnsmadeeasy.com gives the customers full isp
> >> redundency for very very short money. Also, don't forget, you need a way
> >> to
> >> dynamically update the DNS in the event of an ISP failure, thats where
> >> companies like dnsmadeeasy come in.- Hide quoted text -

>
> >> - Show quoted text -

>
> > Brian, in this scenario what happens if traffic comes in one
> > connection on the ASA and the server sends out a response? will it go
> > out the default gateway which is the primary connection at the time or
> > will it go out the way it came in? Thanks.

>
> Correct, it will be asymentrical routing...in one pipe, out the other. Will
> **** off a lot of things since a different IP will be replying.- Hide quoted text -
>
> - Show quoted text -


Yeah that won't necessarily work for us. We have a web presense and
host our own DNS etc. I'll have to find another way. I have a router
that I can throw in front to handle the ISP with object tracking and
also Policy Based Routing to get it back out the correct pipe. I'm
thinking I can try to do something with Policy based routing and only
have one "outside" interface going into the ASA from the router this
will save me an interface as well. Can you think of a easier/better
solution?

 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      04-03-2007

"Nick Your Company Computer Guy" <(E-Mail Removed)>
wrote in message
news:(E-Mail Removed) ups.com...
> On Apr 3, 1:22 pm, "Brian V" <(E-Mail Removed)> wrote:
>> "Nick Your Company Computer Guy" <(E-Mail Removed)>
>> wrote in
>> messagenews:(E-Mail Removed) ooglegroups.com...
>>
>>
>>
>>
>>
>> > On Mar 29, 7:39 am, "Brian V" <(E-Mail Removed)> wrote:
>> >> "Nick Your Company Computer Guy"
>> >> <(E-Mail Removed)>
>> >> wrote in
>> >> messagenews:(E-Mail Removed) oglegroups.com...

>>
>> >> > On Mar 28, 9:42 pm, "Brian V" <(E-Mail Removed)> wrote:
>> >> >> "Nick Your Company Computer Guy"
>> >> >> <(E-Mail Removed)>
>> >> >> wrote in
>> >> >> messagenews:(E-Mail Removed) ooglegroups.com...

>>
>> >> >> > Ok here's what I want to do but I'm not exactly sure how to do it
>> >> >> > thus
>> >> >> > far. On our ASA 5520 we have two "Outside" interfaces that come
>> >> >> > from
>> >> >> > separate ISP's and we have multiple statics available from both
>> >> >> > of
>> >> >> > those ISP's. I have a DMZ and INSIDE interface also. The
>> >> >> > webserver
>> >> >> > and
>> >> >> > two DNS servers are located in the DMZ. Our Exchange server is on
>> >> >> > the
>> >> >> > inside network for obvious reasons. I want to have one IP from
>> >> >> > each
>> >> >> > ISP nat'd to the exchange server and webserver. Please assume I
>> >> >> > have
>> >> >> > followed this document for my primary/backup ISP setup
>> >> >> >http://www.cisco.com/en/US/products/...roducts_config...
>> >> >> > I would like to keep my current setup for failover of outbound
>> >> >> > traffic
>> >> >> > in the event of a failure and add inbound access from both ISP's.
>> >> >> > Thanks for any suggestions.

>>
>> >> >> you do it the same way your primary nat is.

>>
>> >> >> static (inside,outside) <public ISP1> <exchange private> netmask
>> >> >> 255.255.255.255
>> >> >> static (inside,outside2) <public ISP2> <exchange private> netmask
>> >> >> 255.255.255.255

>>
>> >> >> dont forget to apply the acl on the outside2 interface as well.

>>
>> >> > Thanks Brian I'll give it a go in the Lab environment.

>>
>> >> Very welcome, this feature works flawlessly. So far we've got atleast
>> >> 2-3dozen customers up on it. Using the ISP failover feature in
>> >> conjunction
>> >> with a service such as dnsmadeeasy.com gives the customers full isp
>> >> redundency for very very short money. Also, don't forget, you need a
>> >> way
>> >> to
>> >> dynamically update the DNS in the event of an ISP failure, thats where
>> >> companies like dnsmadeeasy come in.- Hide quoted text -

>>
>> >> - Show quoted text -

>>
>> > Brian, in this scenario what happens if traffic comes in one
>> > connection on the ASA and the server sends out a response? will it go
>> > out the default gateway which is the primary connection at the time or
>> > will it go out the way it came in? Thanks.

>>
>> Correct, it will be asymentrical routing...in one pipe, out the other.
>> Will
>> **** off a lot of things since a different IP will be replying.- Hide
>> quoted text -
>>
>> - Show quoted text -

>
> Yeah that won't necessarily work for us. We have a web presense and
> host our own DNS etc. I'll have to find another way. I have a router
> that I can throw in front to handle the ISP with object tracking and
> also Policy Based Routing to get it back out the correct pipe. I'm
> thinking I can try to do something with Policy based routing and only
> have one "outside" interface going into the ASA from the router this
> will save me an interface as well. Can you think of a easier/better
> solution?
>


You cannot have 2 active ISP connections on a single ASA, you can run in ISP
redundancy mode which is active/passive. By 2 active ISP's I mean that
default route traffic, ie 0.0.0.0 will go out both pipes. You "could" have
site to site VPN tunnels on one, all default traffic go out the other, you
could also have the primary default fail over to the secondary. If you want
true load balancing look in to something like Radware or similar. Radware
Branch is a great box, we've got 100's of them out there at different
customers.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA-5520 with ASA-CSC-20 braydonsdad@gmail.com Cisco 1 02-22-2009 05:59 AM
ASA 5520 and DMVPN Chad Cisco 2 10-09-2006 09:06 PM
cisco ASA 5520 crashes with 7.1(2) and 7.2(1) networksecurity Cisco 3 06-14-2006 03:24 AM
Securing 1 VLAN with Cisco ASA 5520? Nicolai Cisco 3 03-02-2006 07:53 PM
redundant switches / redundant server NICs Stuart Kendrick Cisco 4 08-10-2004 08:54 PM



Advertisments