Re: Dual gateway configuration on ASA 5520
- From: fugettaboutit <no@xxxxxxx>
- Date: Thu, 04 Sep 2008 11:34:06 GMT
Walter Roberson wrote:
In article <bbcafa2f-f693-4334-b2a9-6696fc66cf29@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,Hey Walter,
GoogCenter <googleforum@xxxxxxxxxx> wrote:
I have an issue with the configuration of an ASA firewall.
Currently the configuration is quite basic:
outside: 10.1.0.2/255.255.0.0
default route: 10.1.0.1
inside: 192.168.0.1/255.255.255.0
"outside" is configured to a first ISP.
I have a web server & smtp server an IP address 192.168.0.3 which
receives public traffic from 10.1.0.3 thanks to a static NAT rule.
Also when the smtp server sends an email it is "seen" on the outside
est 10.1.0.3
Now I want to connect an "outside2" interface with network provided by
an other ISP:
outside2: 10.3.0.2/255.255..0.0
router of secondary ISP: 10.3.0.1
Then I would configure an other server on 192.168.0.4 which would
receives / send traffic from-to 10.3.0.4
The problem is that the default route is always the one of the first
ISP.
How do I tell ASA firewall that packets coming OUT from ip address
192.168.0.4 have a default gateway on interface outside2, route
10.3.0.1 ?
You don't, not unless you use Security Contexts and logically
seperate networks. PIX / ASA does not have source routing.
The usual way of handling this sort of thing on PIX / ASA is to use "reverse NAT" to translate the incoming -source-
addresses into a 10.3.x.x address. The inside server would
see the packets with the 10.3.x.x address, and so would reply
to that address. The PIX / ASA would see that the most direct
route to 10.3.x.x was through the outside2 interface so it would
send the packet to that interface. Once at the interface,
the reverse NAT would be undone, translating the destination addresses
on the packets to the original address/port combination for transmission
through outside2.
On PIX / ASA it is legal for an interface to have both source and
destination address translation applied to packets.
However -- if you use this approach, then "new connections" that
originate at the new server will use the old "outside" interface
unless you can construct a static route for those connections that
you do not mind applying to the other servers as well. E.g.,
if the new server is the only machine authorized to construct
a DNS server that is to be reached through outside2 then you
could construct a general host route via outside2 to that destination.
But if there is some resource that new connections from inside are to
use "outside" for the old server and "outside2" for the new server,
then you are going to have to use Security Contexts, or do the
routing further oute from the PIX / ASA.
I've always respected your knowledge of the PIX. I've never really been a fan of the PIX, but it's what I have now and I'm wondering if the ASA is worth reconsidering...alas, that's another story. :-)
Could you talk some more about the "reverse NAT" idea? Wouldn't the PIX complain that the 10.3.x.x address was already being NAT'd at the Outside interface? How would I actually configure your example?
.
- References:
- Dual gateway configuration on ASA 5520
- From: GoogCenter
- Re: Dual gateway configuration on ASA 5520
- From: Walter Roberson
- Dual gateway configuration on ASA 5520
- Prev by Date: Cisco 876 & CPU Load
- Next by Date: Re: Unused switch port report for 1/3 months
- Previous by thread: Re: Dual gateway configuration on ASA 5520
- Next by thread: Re: Dual gateway configuration on ASA 5520
- Index(es):
Relevant Pages
|
