TWO ASA5505 and single Interna;Website

Hi
I have a query.
I have two ASA5505 both on different ISP.
ExternalIP 1-ASA5505=20.20.20.2
InternalIP 1-ASA5505=10.10.10.1
ExternalIP 2-ASA5505=30.30.30.2
InternalIP 2-ASA5505=10.10.10.2

THEN a normal --28 Port switch

Then My Webserver 10.10.10.50

I have to run my single internal site from both the external IP of ASA Simulteneouly.

Place the webserver in a DMZ and make static NAT translations.


static (dmz,outside) tcp externalipaddres www internalipaddress www

you make this rule for every port you want to forward to you webserver.
Also you need to make an access-list on your outside interface to actually allow the traffic from the internet to the server

access-list outside_in permit tcp any externaladdress eq www

again you make this rule for every port/ip you want to forward.

Then you need to bind the access-list to your interface

access-group outside_in in interface outside




Hope this helps,
Ron

Place the webserver in a DMZ and make static NAT translations.


static (dmz,outside) tcp externalipaddres www internalipaddress www

you make this rule for every port you want to forward to you webserver.
Also you need to make an access-list on your outside interface to actually allow the traffic from the internet to the server

access-list outside_in permit tcp any externaladdress eq www

again you make this rule for every port/ip you want to forward.

Then you need to bind the access-list to your interface

access-group outside_in in interface outside




Hope this helps,
Ron

Hi Ron,

I'm not convinced this will work. The interesting thing with using two appliances is getting the return traffic back to the correct appliance. I have never tried to get it to work as i no longer do much with with Cisco. The issue here is as follows;

1. The webserver in the DMZ will have its default gateway set to one of the appliances only (for this example, appliance 1)
2. Traffic will come into either appliance from the internet (presumably using DNS Round Robin it will hit appliance 1, then appliance 2, then appliance 1, etc..)
3. If it comes into appliance 1, then the appliance will forward to the webserver using the Static NAT, the packet that hits the webserver still has the PublicIP Address of the sending machine, when the Webserver is sending traffic back, it uses normal routing to hit the appliance 1 (because of the default gateway).
4. If it comes into appliance 2, then the appliance will forward to the webserver using the Static NAT, the packet that hits the webserver still has the PublicIP Address of the sending machine, when the Webserver is sending traffic back, it uses normal routing to hit the applaince 1 (because of the default gateway).

The problem comes into play at point 4. This is because you will see that return traffic gets sent back to Appliance 1 due to the Default Gateway configured on the Webserver. Appliance 1 will not have the NAT translation setup in the XLAT and will therefore drop the traffic.

Anyone know how to get around this ? The only thing i could think would be to NAT the incoming traffic for the SourceAddress also (so it would have to NAT source and destination addresses). The issue with doing this is that the Webserver will see all traffic originating from the Pix Internal Interface.

I now work with WatchGuard Firewalls which have the functionallity of setting up multiple external links to the same firewall, this therefore gets around the issue above and allows for outbound traffic to be balanced across multiple links without the added complexity of routing protocols, etc...

It will work. You just need a security plus license with dual isp enabled. You dont need 2 ASA's for 2 ISP's.



*edit* im stupid...I entirely read over the fact that he does have 2 ASA's... doh >.<
Im gonna toy around a bit with this setup. I got it to work before but i forgot how...stay tuned

It will work. You just need a security plus license with dual isp enabled. You dont need 2 ASA's for 2 ISP's.

Blimey, didn't realise they had enabled dual isp support. Shows how out of touch with the Pix/ASA i am these days, lol

The problem comes into play at point 4. This is because you will see that return traffic gets sent back to Appliance 1 due to the Default Gateway configured on the Webserver. Appliance 1 will not have the NAT translation setup in the XLAT and will therefore drop the traffic.

Very well explained Smurf . The reply traffic will definitely go to only appliance 1 as you said.

So I'm thinking this, assuming the Webserver is windows based. Windows has an option were you can define more than one IP on a single NIC write ? (Advanced button, remember). I'm wondering will this work:

Webserver:
IP1: 10.10.10.50
IP2: 10.10.10.51

Appliance 1:
[code:1]static (inside,outside) 20.20.20.2 10.10.10.50 netmask 255.255.255.255
static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

Appliance 2:
[code:1]static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

What I'm saying is, the first static statement for App1 will simply map 20.20.20.2 to 10.10.10.50. The single static statement for App2 maps 30.30.30.2 to 10.10.10.51. Both incoming traffic goes to the same server, thats simple ha?. Now the second static statement for App1 will fool App1 into translating the source address of the nasty reply traffic to have the IP 30.30.30.2 (App2's address).

Thats upto my understanding that static maps work both ways, wither the traffic was initiated outside or inside.

Surely I'm mapping all ip traffic hear which works for all tcp ports (not just port 80), but I'm doing this just for simplicity.

Could it work? or am I out of scope?