Interesting problem with PIX, ASA and 2 Internet
Hello dear forum users :)
I will try to share with you my problem, the solution of which I need to find.
So let's get started:
')
In some organization, the following Internet access scheme has been built.
Network users of the 12th segment access the Internet via GW1 and GW2 where NAT is raised and the so-called DMZ is implemented, the operation of which is that it is impossible to establish connections to computers of the 12th segment out of 77 segments.
Peaks in turn natit IP GW1 and GW2. For the WEB server in the DMZ zone on the pix, a port is forwarded, and the web server has one defaul gw 192.168.77.254
Now there was a task to connect the second Internet channel and for this, ASA 5505 was purchased. I see so far such an implementation of the scheme:
BUT! With this implementation, the following problem occurs:
Imagine that 2 Internet channels are working. Imagine that there are 2 IP gateways (PIX and ASA) on the WEB server, because reliability is required so that if one of the providers fails, the WEB server remains visible from the Internet. The problem I see is this: for example, a request to the WEB server from the outside is initiated at the address 213.xxx, the server receiving the request prepares an answer, and the most important thing here! which gateway will he send the response to? On PIX or ASA? After all, he does not know from which gateway the packet came from the Internet with the real IP address of the client, for example, from December 34, 45.67! After all, if he sends the answer through the wrong gateway, where the request came from, his IP will change at the output and the connection as I understand it will not be established.
How can I solve this problem? If anything, in the arsenal there is still a dusting 2811 router ... It would be nice to do not just reserve the Internet channels, but the so-called Load balancing to use them evenly, and if one of them drops, all the traffic would go automatically to the available?
I will try to share with you my problem, the solution of which I need to find.
So let's get started:
')
In some organization, the following Internet access scheme has been built.
Network users of the 12th segment access the Internet via GW1 and GW2 where NAT is raised and the so-called DMZ is implemented, the operation of which is that it is impossible to establish connections to computers of the 12th segment out of 77 segments.
Peaks in turn natit IP GW1 and GW2. For the WEB server in the DMZ zone on the pix, a port is forwarded, and the web server has one defaul gw 192.168.77.254
Now there was a task to connect the second Internet channel and for this, ASA 5505 was purchased. I see so far such an implementation of the scheme:
BUT! With this implementation, the following problem occurs:
Imagine that 2 Internet channels are working. Imagine that there are 2 IP gateways (PIX and ASA) on the WEB server, because reliability is required so that if one of the providers fails, the WEB server remains visible from the Internet. The problem I see is this: for example, a request to the WEB server from the outside is initiated at the address 213.xxx, the server receiving the request prepares an answer, and the most important thing here! which gateway will he send the response to? On PIX or ASA? After all, he does not know from which gateway the packet came from the Internet with the real IP address of the client, for example, from December 34, 45.67! After all, if he sends the answer through the wrong gateway, where the request came from, his IP will change at the output and the connection as I understand it will not be established.
How can I solve this problem? If anything, in the arsenal there is still a dusting 2811 router ... It would be nice to do not just reserve the Internet channels, but the so-called Load balancing to use them evenly, and if one of them drops, all the traffic would go automatically to the available?
Source: https://habr.com/ru/post/78032/
All Articles