Cisco – Dual ISP Inbound NAT — Asymmetric routing

ciscocisco-asanat;routing

routing question here.

In a dual ISP scenario is there way to use both external IPs and nat them to a web server in a higher security level? The issue I am running into is on the return path for ISP2. I believe it is because the default route from the Cisco ASA is ISP1. So if a request comes in on ISP2 it hits the web server successfully (after being nat'd ), but when the packet is returned it gets unat'd and overloaded over the ISP1 link which is an IP the requester is not expecting.

ISP side:

ISP1 = 1.1.1.1/30
ISP2 = 2.2.2.1/30

On My side:

interface e0/1 (ISP1) has IP 1.1.1.2
interface e0/2 (ISP2) has IP 2.2.2.2
static (dmz,ISP1) tcp interface www 10.0.0.10 www netmask 255.255.255.255
static (dmz,ISP2) tcp interface www 10.0.0.10 www netmask 255.255.255.255

show route
10.0.0.0/24, directly connected dmz
1.1.1.0/30,directly connected ISP1
2.2.2.0/30,directly connected ISP1
0.0.0.0/0, [1/0] via 1.1.1.1

Is there a way to tag or track inbound packets so they come in and leave out the same interface? regardless of the default route?

NOTE: I was thinking something along the lines of checking in the return (outbound packet) the source IP. My thoughts are that source IP should be the IP of either ISP1 or ISP2 interface, whichever it came in on the first place. Perhaps Policy based routing?

Best Answer

You're not going to be able to achieve this with your current set up. As you're finding out, you're going to run into problems with asymmetric routing, and firewalls don't like that at all.

Ideally you need a router to sit between your firewall and your ISP's. 

ISP1      ISP2
   \      /  
    ROUTER
      |
     ASA
      |
   SERVERS

You then have a few options;

1) That router could then have policy based routing enabled and send reply traffic sourced with ISP1 address space via the ISP1 router, and reply traffic sourced with ISP2 address space via the ISP2 router. If you don't care about only using one link at a time for outbound connectivity then PBR isn't even necessary.

Or

2) you need some common public address space that both ISP's can use. To that end you'll either need to request some provider independent address space from your regional internet registry, or use the same ISP for both of your internet links, and use some BGP magic to tie it all together.

In both cases your firewall should have only one external interface.

Related Topic