Skip to main content

TWO ASA5505 and single Interna;Website

More
15 years 10 months ago #28745 by Smurf
Hi S0lo,


I dont beleive it will work. Basically, the Default Gateway is still going to be used to route traffic back to the Internet. There are a few points to be made;

1. The NAT thats occuring;

- Outbound traffic will NAT the Source Address, which you would expect. Its coming from an RFC1918 address which isn't routable on the Internet so you have to NAT this against your Public IP Address space, this happens when it going out to the internet. The Destination Address isn't altered. Traffic is then routed back to your Public Address and the corresponding XLAT knows what to re-write the Destination Address back to (the sending traffic will need its Source Address changed, when the traffic is coming back it will re-write the Destination Address).

- Inbound traffic will NAT the Destination Address. The Source Address will be the machine on the Internet (its Public IP address) and the Destination will be your Public Address. This Destination Address will need to be re-written to your Private Space while the Sources Address isn't altered. Therefore, when the PAcket reaches the server, it will send the traffic back to the senders Public IP Address which is why normal routing will take place (hence to the Appliance 1).

Even with two IP Addresses, bound to the server, it still can only have 1 default gateway so traffic will always be sent to Appliance 1.

Hope it makes sense.

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28746 by S0lo
Hi Smurf,

Agree with you on all the NAT, public IP, private IP details you said.

Even with two IP Addresses, bound to the server, it still can only have 1 default gateway so traffic will always be sent to Appliance 1.

Hope it makes sense.


Sure Smurf, traffic from the server will indeed always be sent to Appliance 1 (since there can be only 1 default gateway). But I'm NOT trying to resolve that. I'm trying to force Appliance 1 to treat that traffic as outbound traffic (although it's reply traffic) and re-write the source address to be Appliance 2's IP. So that the outside/internet client will think that it came from Appliance 2.

The only purpose of the 2 IPs is simply to prevent Appliance 1 from issuing an error message when two static maps point to the same private IP (webserver private IP).

Does this make any sense?

Cheers mate :D

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #28749 by Smurf
Sorry mate ya lost me ?

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28754 by S0lo
Never mind. I hate it when I get so hooked :x. I was trying to do this:

Request to ExternalIP 1:


Request to ExternalIP 2:


Made this in 10 minutes so forgive incompleteness.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #28767 by Smurf
Hmm, i see now :)

Wont work.

The way that you are trying to configure this will conflict because you are using the same external IP Address on both firewalls so you will have an IP Conflict.

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28770 by S0lo
Hmm, excuse my lack of knowledge. Can you explain why do you think I'm using two external IPs?. Did you mean that I have this statement on both ASAs:

[code:1]static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

And thats why the 30.30.30.2 will conflict. If thats what you mean, then I'm thinking the ISP router won't have trouble routing, since I'm not defining this same IP on both the outside interfaces of the Appliances. Only App2 has 30.30.30.2 defined on it's outside interface. Unless off-course, those static statements will affect routing on the ISP side, then I can understand that conflict.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.136 seconds