Dual gateway configuration on ASA 5520

GoogCenter a écrit :

I am not sure if it is possible in the ASA, but usually, on Cisco'router, it can be done with the *route-map* command (specific route applied for packets that match an access-list. Extended access list can select packets by source IP).

You don't, not unless you use Security Contexts and logically seperate networks. PIX / ASA does not have source routing.

The usual way of handling this sort of thing on PIX / ASA is to use "reverse NAT" to translate the incoming -source- addresses into a 10.3.x.x address. The inside server would see the packets with the 10.3.x.x address, and so would reply to that address. The PIX / ASA would see that the most direct route to 10.3.x.x was through the outside2 interface so it would send the packet to that interface. Once at the interface, the reverse NAT would be undone, translating the destination addresses on the packets to the original address/port combination for transmission through outside2.

On PIX / ASA it is legal for an interface to have both source and destination address translation applied to packets.

However -- if you use this approach, then "new connections" that originate at the new server will use the old "outside" interface unless you can construct a static route for those connections that you do not mind applying to the other servers as well. E.g., if the new server is the only machine authorized to construct a DNS server that is to be reached through outside2 then you could construct a general host route via outside2 to that destination. But if there is some resource that new connections from inside are to use "outside" for the old server and "outside2" for the new server, then you are going to have to use Security Contexts, or do the routing further oute from the PIX / ASA.

Hey Walter,

I've always respected your knowledge of the PIX. I've never really been a fan of the PIX, but it's what I have now and I'm wondering if the ASA is worth reconsidering...alas, that's another story. :-)

Could you talk some more about the "reverse NAT" idea? Wouldn't the PIX complain that the 10.3.x.x address was already being NAT'd at the Outside interface? How would I actually configure your example?

Thank you for the advice. I understand now that PBR is not supported on ASA. This is a pity given the cost of the device. If I understand well your technique, this mean I loose the public Ip address on my servers, which is not acceptable for me.

Thanks again,

Olivier

You are correct: if you use source address NAT in order to force the reply packets to go out a particular interface, then the inside servers will see the NAT'd address, not the public address of the client. That is acceptable in some circumstances and not acceptable in others. For example -sometimes- all you care about is having the theoretical capacity to track the public IP of someone abusing a service, and the public IPs can be dug out of the PIX / ASA connection logs if the logging level is 6 (or the appropriate messages are pushed to a higher priority than usual using 'logging message'.) But other times you really want original IPs to the server; in such a case, source NAT would not work and the Cisco method of handling this case with the ASA would be to use Security Contexts.