ASA 5520 Redundant Links Inbound/Outbound

Discussion in 'Cisco' started by Nick Your Company Computer Guy, Mar 29, 2007.

  1. Ok here's what I want to do but I'm not exactly sure how to do it thus
    far. On our ASA 5520 we have two "Outside" interfaces that come from
    separate ISP's and we have multiple statics available from both of
    those ISP's. I have a DMZ and INSIDE interface also. The webserver and
    two DNS servers are located in the DMZ. Our Exchange server is on the
    inside network for obvious reasons. I want to have one IP from each
    ISP nat'd to the exchange server and webserver. Please assume I have
    followed this document for my primary/backup ISP setup
    http://www.cisco.com/en/US/products...s_configuration_example09186a00806e880b.shtml
    I would like to keep my current setup for failover of outbound traffic
    in the event of a failure and add inbound access from both ISP's.
    Thanks for any suggestions.
     
    Nick Your Company Computer Guy, Mar 29, 2007
    #1
    1. Advertising

  2. Nick Your Company Computer Guy

    Brian V Guest

    "Nick Your Company Computer Guy" <>
    wrote in message
    news:...
    > Ok here's what I want to do but I'm not exactly sure how to do it thus
    > far. On our ASA 5520 we have two "Outside" interfaces that come from
    > separate ISP's and we have multiple statics available from both of
    > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
    > two DNS servers are located in the DMZ. Our Exchange server is on the
    > inside network for obvious reasons. I want to have one IP from each
    > ISP nat'd to the exchange server and webserver. Please assume I have
    > followed this document for my primary/backup ISP setup
    > http://www.cisco.com/en/US/products...s_configuration_example09186a00806e880b.shtml
    > I would like to keep my current setup for failover of outbound traffic
    > in the event of a failure and add inbound access from both ISP's.
    > Thanks for any suggestions.
    >


    you do it the same way your primary nat is.

    static (inside,outside) <public ISP1> <exchange private> netmask
    255.255.255.255
    static (inside,outside2) <public ISP2> <exchange private> netmask
    255.255.255.255

    dont forget to apply the acl on the outside2 interface as well.
     
    Brian V, Mar 29, 2007
    #2
    1. Advertising

  3. On Mar 28, 9:42 pm, "Brian V" <> wrote:
    > "Nick Your Company Computer Guy" <>
    > wrote in messagenews:...
    >
    > > Ok here's what I want to do but I'm not exactly sure how to do it thus
    > > far. On our ASA 5520 we have two "Outside" interfaces that come from
    > > separate ISP's and we have multiple statics available from both of
    > > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
    > > two DNS servers are located in the DMZ. Our Exchange server is on the
    > > inside network for obvious reasons. I want to have one IP from each
    > > ISP nat'd to the exchange server and webserver. Please assume I have
    > > followed this document for my primary/backup ISP setup
    > >http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
    > > I would like to keep my current setup for failover of outbound traffic
    > > in the event of a failure and add inbound access from both ISP's.
    > > Thanks for any suggestions.

    >
    > you do it the same way your primary nat is.
    >
    > static (inside,outside) <public ISP1> <exchange private> netmask
    > 255.255.255.255
    > static (inside,outside2) <public ISP2> <exchange private> netmask
    > 255.255.255.255
    >
    > dont forget to apply the acl on the outside2 interface as well.


    Thanks Brian I'll give it a go in the Lab environment.
     
    Nick Your Company Computer Guy, Mar 29, 2007
    #3
  4. Nick Your Company Computer Guy

    Brian V Guest

    "Nick Your Company Computer Guy" <>
    wrote in message
    news:...
    > On Mar 28, 9:42 pm, "Brian V" <> wrote:
    >> "Nick Your Company Computer Guy" <>
    >> wrote in
    >> messagenews:...
    >>
    >> > Ok here's what I want to do but I'm not exactly sure how to do it thus
    >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
    >> > separate ISP's and we have multiple statics available from both of
    >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
    >> > two DNS servers are located in the DMZ. Our Exchange server is on the
    >> > inside network for obvious reasons. I want to have one IP from each
    >> > ISP nat'd to the exchange server and webserver. Please assume I have
    >> > followed this document for my primary/backup ISP setup
    >> >http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
    >> > I would like to keep my current setup for failover of outbound traffic
    >> > in the event of a failure and add inbound access from both ISP's.
    >> > Thanks for any suggestions.

    >>
    >> you do it the same way your primary nat is.
    >>
    >> static (inside,outside) <public ISP1> <exchange private> netmask
    >> 255.255.255.255
    >> static (inside,outside2) <public ISP2> <exchange private> netmask
    >> 255.255.255.255
    >>
    >> dont forget to apply the acl on the outside2 interface as well.

    >
    > Thanks Brian I'll give it a go in the Lab environment.
    >


    Very welcome, this feature works flawlessly. So far we've got atleast
    2-3dozen customers up on it. Using the ISP failover feature in conjunction
    with a service such as dnsmadeeasy.com gives the customers full isp
    redundency for very very short money. Also, don't forget, you need a way to
    dynamically update the DNS in the event of an ISP failure, thats where
    companies like dnsmadeeasy come in.
     
    Brian V, Mar 29, 2007
    #4
  5. On Mar 29, 7:39 am, "Brian V" <> wrote:
    > "Nick Your Company Computer Guy" <>
    > wrote in messagenews:...
    >
    >
    >
    >
    >
    > > On Mar 28, 9:42 pm, "Brian V" <> wrote:
    > >> "Nick Your Company Computer Guy" <>
    > >> wrote in
    > >> messagenews:...

    >
    > >> > Ok here's what I want to do but I'm not exactly sure how to do it thus
    > >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
    > >> > separate ISP's and we have multiple statics available from both of
    > >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver and
    > >> > two DNS servers are located in the DMZ. Our Exchange server is on the
    > >> > inside network for obvious reasons. I want to have one IP from each
    > >> > ISP nat'd to the exchange server and webserver. Please assume I have
    > >> > followed this document for my primary/backup ISP setup
    > >> >http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
    > >> > I would like to keep my current setup for failover of outbound traffic
    > >> > in the event of a failure and add inbound access from both ISP's.
    > >> > Thanks for any suggestions.

    >
    > >> you do it the same way your primary nat is.

    >
    > >> static (inside,outside) <public ISP1> <exchange private> netmask
    > >> 255.255.255.255
    > >> static (inside,outside2) <public ISP2> <exchange private> netmask
    > >> 255.255.255.255

    >
    > >> dont forget to apply the acl on the outside2 interface as well.

    >
    > > Thanks Brian I'll give it a go in the Lab environment.

    >
    > Very welcome, this feature works flawlessly. So far we've got atleast
    > 2-3dozen customers up on it. Using the ISP failover feature in conjunction
    > with a service such as dnsmadeeasy.com gives the customers full isp
    > redundency for very very short money. Also, don't forget, you need a way to
    > dynamically update the DNS in the event of an ISP failure, thats where
    > companies like dnsmadeeasy come in.- Hide quoted text -
    >
    > - Show quoted text -


    Brian, in this scenario what happens if traffic comes in one
    connection on the ASA and the server sends out a response? will it go
    out the default gateway which is the primary connection at the time or
    will it go out the way it came in? Thanks.
     
    Nick Your Company Computer Guy, Apr 3, 2007
    #5
  6. Nick Your Company Computer Guy

    Brian V Guest

    "Nick Your Company Computer Guy" <>
    wrote in message
    news:...
    > On Mar 29, 7:39 am, "Brian V" <> wrote:
    >> "Nick Your Company Computer Guy" <>
    >> wrote in
    >> messagenews:...
    >>
    >>
    >>
    >>
    >>
    >> > On Mar 28, 9:42 pm, "Brian V" <> wrote:
    >> >> "Nick Your Company Computer Guy"
    >> >> <>
    >> >> wrote in
    >> >> messagenews:...

    >>
    >> >> > Ok here's what I want to do but I'm not exactly sure how to do it
    >> >> > thus
    >> >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
    >> >> > separate ISP's and we have multiple statics available from both of
    >> >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver
    >> >> > and
    >> >> > two DNS servers are located in the DMZ. Our Exchange server is on
    >> >> > the
    >> >> > inside network for obvious reasons. I want to have one IP from each
    >> >> > ISP nat'd to the exchange server and webserver. Please assume I have
    >> >> > followed this document for my primary/backup ISP setup
    >> >> >http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
    >> >> > I would like to keep my current setup for failover of outbound
    >> >> > traffic
    >> >> > in the event of a failure and add inbound access from both ISP's.
    >> >> > Thanks for any suggestions.

    >>
    >> >> you do it the same way your primary nat is.

    >>
    >> >> static (inside,outside) <public ISP1> <exchange private> netmask
    >> >> 255.255.255.255
    >> >> static (inside,outside2) <public ISP2> <exchange private> netmask
    >> >> 255.255.255.255

    >>
    >> >> dont forget to apply the acl on the outside2 interface as well.

    >>
    >> > Thanks Brian I'll give it a go in the Lab environment.

    >>
    >> Very welcome, this feature works flawlessly. So far we've got atleast
    >> 2-3dozen customers up on it. Using the ISP failover feature in
    >> conjunction
    >> with a service such as dnsmadeeasy.com gives the customers full isp
    >> redundency for very very short money. Also, don't forget, you need a way
    >> to
    >> dynamically update the DNS in the event of an ISP failure, thats where
    >> companies like dnsmadeeasy come in.- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    > Brian, in this scenario what happens if traffic comes in one
    > connection on the ASA and the server sends out a response? will it go
    > out the default gateway which is the primary connection at the time or
    > will it go out the way it came in? Thanks.
    >


    Correct, it will be asymentrical routing...in one pipe, out the other. Will
    piss off a lot of things since a different IP will be replying.
     
    Brian V, Apr 3, 2007
    #6
  7. On Apr 3, 1:22 pm, "Brian V" <> wrote:
    > "Nick Your Company Computer Guy" <>
    > wrote in messagenews:...
    >
    >
    >
    >
    >
    > > On Mar 29, 7:39 am, "Brian V" <> wrote:
    > >> "Nick Your Company Computer Guy" <>
    > >> wrote in
    > >> messagenews:...

    >
    > >> > On Mar 28, 9:42 pm, "Brian V" <> wrote:
    > >> >> "Nick Your Company Computer Guy"
    > >> >> <>
    > >> >> wrote in
    > >> >> messagenews:...

    >
    > >> >> > Ok here's what I want to do but I'm not exactly sure how to do it
    > >> >> > thus
    > >> >> > far. On our ASA 5520 we have two "Outside" interfaces that come from
    > >> >> > separate ISP's and we have multiple statics available from both of
    > >> >> > those ISP's. I have a DMZ and INSIDE interface also. The webserver
    > >> >> > and
    > >> >> > two DNS servers are located in the DMZ. Our Exchange server is on
    > >> >> > the
    > >> >> > inside network for obvious reasons. I want to have one IP from each
    > >> >> > ISP nat'd to the exchange server and webserver. Please assume I have
    > >> >> > followed this document for my primary/backup ISP setup
    > >> >> >http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
    > >> >> > I would like to keep my current setup for failover of outbound
    > >> >> > traffic
    > >> >> > in the event of a failure and add inbound access from both ISP's.
    > >> >> > Thanks for any suggestions.

    >
    > >> >> you do it the same way your primary nat is.

    >
    > >> >> static (inside,outside) <public ISP1> <exchange private> netmask
    > >> >> 255.255.255.255
    > >> >> static (inside,outside2) <public ISP2> <exchange private> netmask
    > >> >> 255.255.255.255

    >
    > >> >> dont forget to apply the acl on the outside2 interface as well.

    >
    > >> > Thanks Brian I'll give it a go in the Lab environment.

    >
    > >> Very welcome, this feature works flawlessly. So far we've got atleast
    > >> 2-3dozen customers up on it. Using the ISP failover feature in
    > >> conjunction
    > >> with a service such as dnsmadeeasy.com gives the customers full isp
    > >> redundency for very very short money. Also, don't forget, you need a way
    > >> to
    > >> dynamically update the DNS in the event of an ISP failure, thats where
    > >> companies like dnsmadeeasy come in.- Hide quoted text -

    >
    > >> - Show quoted text -

    >
    > > Brian, in this scenario what happens if traffic comes in one
    > > connection on the ASA and the server sends out a response? will it go
    > > out the default gateway which is the primary connection at the time or
    > > will it go out the way it came in? Thanks.

    >
    > Correct, it will be asymentrical routing...in one pipe, out the other. Will
    > piss off a lot of things since a different IP will be replying.- Hide quoted text -
    >
    > - Show quoted text -


    Yeah that won't necessarily work for us. We have a web presense and
    host our own DNS etc. I'll have to find another way. I have a router
    that I can throw in front to handle the ISP with object tracking and
    also Policy Based Routing to get it back out the correct pipe. I'm
    thinking I can try to do something with Policy based routing and only
    have one "outside" interface going into the ASA from the router this
    will save me an interface as well. Can you think of a easier/better
    solution?
     
    Nick Your Company Computer Guy, Apr 3, 2007
    #7
  8. Nick Your Company Computer Guy

    Brian V Guest

    "Nick Your Company Computer Guy" <>
    wrote in message
    news:...
    > On Apr 3, 1:22 pm, "Brian V" <> wrote:
    >> "Nick Your Company Computer Guy" <>
    >> wrote in
    >> messagenews:...
    >>
    >>
    >>
    >>
    >>
    >> > On Mar 29, 7:39 am, "Brian V" <> wrote:
    >> >> "Nick Your Company Computer Guy"
    >> >> <>
    >> >> wrote in
    >> >> messagenews:...

    >>
    >> >> > On Mar 28, 9:42 pm, "Brian V" <> wrote:
    >> >> >> "Nick Your Company Computer Guy"
    >> >> >> <>
    >> >> >> wrote in
    >> >> >> messagenews:...

    >>
    >> >> >> > Ok here's what I want to do but I'm not exactly sure how to do it
    >> >> >> > thus
    >> >> >> > far. On our ASA 5520 we have two "Outside" interfaces that come
    >> >> >> > from
    >> >> >> > separate ISP's and we have multiple statics available from both
    >> >> >> > of
    >> >> >> > those ISP's. I have a DMZ and INSIDE interface also. The
    >> >> >> > webserver
    >> >> >> > and
    >> >> >> > two DNS servers are located in the DMZ. Our Exchange server is on
    >> >> >> > the
    >> >> >> > inside network for obvious reasons. I want to have one IP from
    >> >> >> > each
    >> >> >> > ISP nat'd to the exchange server and webserver. Please assume I
    >> >> >> > have
    >> >> >> > followed this document for my primary/backup ISP setup
    >> >> >> >http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
    >> >> >> > I would like to keep my current setup for failover of outbound
    >> >> >> > traffic
    >> >> >> > in the event of a failure and add inbound access from both ISP's.
    >> >> >> > Thanks for any suggestions.

    >>
    >> >> >> you do it the same way your primary nat is.

    >>
    >> >> >> static (inside,outside) <public ISP1> <exchange private> netmask
    >> >> >> 255.255.255.255
    >> >> >> static (inside,outside2) <public ISP2> <exchange private> netmask
    >> >> >> 255.255.255.255

    >>
    >> >> >> dont forget to apply the acl on the outside2 interface as well.

    >>
    >> >> > Thanks Brian I'll give it a go in the Lab environment.

    >>
    >> >> Very welcome, this feature works flawlessly. So far we've got atleast
    >> >> 2-3dozen customers up on it. Using the ISP failover feature in
    >> >> conjunction
    >> >> with a service such as dnsmadeeasy.com gives the customers full isp
    >> >> redundency for very very short money. Also, don't forget, you need a
    >> >> way
    >> >> to
    >> >> dynamically update the DNS in the event of an ISP failure, thats where
    >> >> companies like dnsmadeeasy come in.- Hide quoted text -

    >>
    >> >> - Show quoted text -

    >>
    >> > Brian, in this scenario what happens if traffic comes in one
    >> > connection on the ASA and the server sends out a response? will it go
    >> > out the default gateway which is the primary connection at the time or
    >> > will it go out the way it came in? Thanks.

    >>
    >> Correct, it will be asymentrical routing...in one pipe, out the other.
    >> Will
    >> piss off a lot of things since a different IP will be replying.- Hide
    >> quoted text -
    >>
    >> - Show quoted text -

    >
    > Yeah that won't necessarily work for us. We have a web presense and
    > host our own DNS etc. I'll have to find another way. I have a router
    > that I can throw in front to handle the ISP with object tracking and
    > also Policy Based Routing to get it back out the correct pipe. I'm
    > thinking I can try to do something with Policy based routing and only
    > have one "outside" interface going into the ASA from the router this
    > will save me an interface as well. Can you think of a easier/better
    > solution?
    >


    You cannot have 2 active ISP connections on a single ASA, you can run in ISP
    redundancy mode which is active/passive. By 2 active ISP's I mean that
    default route traffic, ie 0.0.0.0 will go out both pipes. You "could" have
    site to site VPN tunnels on one, all default traffic go out the other, you
    could also have the primary default fail over to the secondary. If you want
    true load balancing look in to something like Radware or similar. Radware
    Branch is a great box, we've got 100's of them out there at different
    customers.
     
    Brian V, Apr 4, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    7
    Views:
    1,112
    Peter
    Dec 9, 2003
  2. Mark Matheney
    Replies:
    1
    Views:
    896
  3. Stuart Kendrick

    redundant switches / redundant server NICs

    Stuart Kendrick, Aug 9, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,512
    Stuart Kendrick
    Aug 10, 2004
  4. livedrive
    Replies:
    2
    Views:
    8,087
    theapplebee
    Jun 26, 2009
  5. Replies:
    1
    Views:
    581
    rameshhx
    Feb 22, 2009
Loading...

Share This Page