Skip to main content

TWO ASA5505 and single Interna;Website

More
16 years 9 months ago #28710 by shishirkaneria
Hi
I have a query.
I have two ASA5505 both on different ISP.
ExternalIP 1-ASA5505=20.20.20.2
InternalIP 1-ASA5505=10.10.10.1
ExternalIP 2-ASA5505=30.30.30.2
InternalIP 2-ASA5505=10.10.10.2

THEN a normal --28 Port switch

Then My Webserver 10.10.10.50

I have to run my single internal site from both the external IP of ASA Simulteneouly.

More
16 years 9 months ago #28712 by r0nni3
Place the webserver in a DMZ and make static NAT translations.


static (dmz,outside) tcp externalipaddres www internalipaddress www

you make this rule for every port you want to forward to you webserver.
Also you need to make an access-list on your outside interface to actually allow the traffic from the internet to the server

access-list outside_in permit tcp any externaladdress eq www

again you make this rule for every port/ip you want to forward.

Then you need to bind the access-list to your interface

access-group outside_in in interface outside




Hope this helps,
Ron

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
16 years 9 months ago #28718 by Smurf

Place the webserver in a DMZ and make static NAT translations.


static (dmz,outside) tcp externalipaddres www internalipaddress www

you make this rule for every port you want to forward to you webserver.
Also you need to make an access-list on your outside interface to actually allow the traffic from the internet to the server

access-list outside_in permit tcp any externaladdress eq www

again you make this rule for every port/ip you want to forward.

Then you need to bind the access-list to your interface

access-group outside_in in interface outside




Hope this helps,
Ron


Hi Ron,

I'm not convinced this will work. The interesting thing with using two appliances is getting the return traffic back to the correct appliance. I have never tried to get it to work as i no longer do much with with Cisco. The issue here is as follows;

1. The webserver in the DMZ will have its default gateway set to one of the appliances only (for this example, appliance 1)
2. Traffic will come into either appliance from the internet (presumably using DNS Round Robin it will hit appliance 1, then appliance 2, then appliance 1, etc..)
3. If it comes into appliance 1, then the appliance will forward to the webserver using the Static NAT, the packet that hits the webserver still has the PublicIP Address of the sending machine, when the Webserver is sending traffic back, it uses normal routing to hit the appliance 1 (because of the default gateway).
4. If it comes into appliance 2, then the appliance will forward to the webserver using the Static NAT, the packet that hits the webserver still has the PublicIP Address of the sending machine, when the Webserver is sending traffic back, it uses normal routing to hit the applaince 1 (because of the default gateway).

The problem comes into play at point 4. This is because you will see that return traffic gets sent back to Appliance 1 due to the Default Gateway configured on the Webserver. Appliance 1 will not have the NAT translation setup in the XLAT and will therefore drop the traffic.

Anyone know how to get around this ? The only thing i could think would be to NAT the incoming traffic for the SourceAddress also (so it would have to NAT source and destination addresses). The issue with doing this is that the Webserver will see all traffic originating from the Pix Internal Interface.

I now work with WatchGuard Firewalls which have the functionallity of setting up multiple external links to the same firewall, this therefore gets around the issue above and allows for outbound traffic to be balanced across multiple links without the added complexity of routing protocols, etc...

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 9 months ago #28722 by r0nni3
It will work. You just need a security plus license with dual isp enabled. You dont need 2 ASA's for 2 ISP's.



*edit* im stupid...I entirely read over the fact that he does have 2 ASA's... doh >.<
Im gonna toy around a bit with this setup. I got it to work before but i forgot how...stay tuned :p

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
16 years 9 months ago #28735 by Smurf

It will work. You just need a security plus license with dual isp enabled. You dont need 2 ASA's for 2 ISP's.


Blimey, didn't realise they had enabled dual isp support. Shows how out of touch with the Pix/ASA i am these days, lol

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 9 months ago #28737 by S0lo

The problem comes into play at point 4. This is because you will see that return traffic gets sent back to Appliance 1 due to the Default Gateway configured on the Webserver. Appliance 1 will not have the NAT translation setup in the XLAT and will therefore drop the traffic.


Very well explained Smurf :). The reply traffic will definitely go to only appliance 1 as you said.

So I'm thinking this, assuming the Webserver is windows based. Windows has an option were you can define more than one IP on a single NIC write ? (Advanced button, remember). I'm wondering will this work:

Webserver:
IP1: 10.10.10.50
IP2: 10.10.10.51

Appliance 1:
[code:1]static (inside,outside) 20.20.20.2 10.10.10.50 netmask 255.255.255.255
static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

Appliance 2:
[code:1]static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

What I'm saying is, the first static statement for App1 will simply map 20.20.20.2 to 10.10.10.50. The single static statement for App2 maps 30.30.30.2 to 10.10.10.51. Both incoming traffic goes to the same server, thats simple ha?. Now the second static statement for App1 will fool App1 into translating the source address of the nasty reply traffic to have the IP 30.30.30.2 (App2's address).

Thats upto my understanding that static maps work both ways, wither the traffic was initiated outside or inside.

Surely I'm mapping all ip traffic hear which works for all tcp ports (not just port 80), but I'm doing this just for simplicity.

Could it work? or am I out of scope?

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.093 seconds