2

I've been tasked with setting up our ASA to allow traffic from two ISPs. Currently, ISP1 is for mail, VPN, Remote Web Workplace (SBS 2003), and internet. My boss would like me to set up the DMZ interface to accept HTTP traffic and direct it to a web server on the inside (like a second outside interface). Eventually, he would like me to move services one by one from ISP1 to ISP2.

From everything I've read, this isn't possible. This would seem to require Policy Based Routing, which the ASA doesn't support. I've found this: https://learningnetwork.cisco.com/docs/DOC-10831. Correct me if I'm wrong, but this seems to allow HTTP(S) connections on ISP2 that originate from inside, it wouldn't work for hosting a web server internally, would it?

Additionally, I've found references to utilizing multiple ISPs, but to do so requires a router on the outside of the ASA, like here: http://www.youtube.com/watch_popup?v=2rVkUIuXEMM&vq=hd720#t=31. As we have no extra routers or layer 3 switches lying about, this option will not work for me either.

Can anybody tell me if this is even possible? If so, could you please point me in the right direction to get started?

Thanks everyone

fourleggedfish
  • 110
  • 2
  • 9

1 Answers1

0

For hosting a web site, what matters is being able to accept HTTP connections coming in to both IP addresses and respond on the correct address. You're right in thinking that the routing workarounds you've found won't help out here; those will help when splitting outbound requests to the different ISPs, but for this purpose, you want responses sent back on the ISP they came in on.

The simplest way to get the external address for both ISPs listening is to get them both NAT'd to the web server, and open up the firewall rules to listen on 80 and 443.

We'll say 2.2.2.2 is the external address on ISP 1, and 3.3.3.3 is the external address on ISP 2; 10.1.1.1 is the web server. The way you'll want to think about it is this:

2.2.2.2 80/443 -> NAT -> 10.1.1.1 80/443
3.3.3.3 80/443 -> NAT -> 10.1.1.1 80/443

This doesn't work. The ASA won't let you double up on a NAT like this. The workaround is to assign a second IP to the web server, 10.1.1.2 (and make sure it's listening for requests on both).

2.2.2.2 80/443 -> NAT -> 10.1.1.1 80/443
3.3.3.3 80/443 -> NAT -> 10.1.1.2 80/443

Then just make sure you've got rules allowing 80 and 443 in to the external address on the new NAT, and you should be good to go.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks for the reply - I'll be setting this up this weekend (off hours, just in case!). I hadn't thought about having Apache listen on multiple IPs. – fourleggedfish Mar 17 '11 at 15:26