After hours of tinkering and sifting through the forums I am afraid I already know the answer but I thought I would ask anyways in case anyone has any suggestions.
I have a Pepwave Balance 20 that I intended to use as a failover option, not a load balancing solution.
I currently have a CenturyLink DSL modem and a block of 8 statics. It is currently configured with static routes for my block of static IPs and my inside network, pointing to my outside interface on my Cisco ASA 5505.
I put my CenturyLink modem in Transparent Bridged mode and setup WAN 1 on the Pepwave as a PPPOE connection successfully. I setup the Static routes in the LAN settings on the Pepwave similarly to those that were on the CenturyLink modem previously. With those settings I am able to get out to the internet on the machines that are DHCP on my network but the computers that are using the Statics from ISP can’t ping the ISP DNS servers and therefore can’t resolve anything outside of the local network. I’ve tried IP forwarding, which kills the internet on everything, NAT mapping and combinations of Static Routes on the Pepwave LAN settings but I can’t get my ISP static IPs to work, other than the one that is assigned to the Pepwave device by the PPPOE connection.
I know that drop-in mode would work but I don’t have the Balance 210, so this isn’t an option. I know that the external IPs are reaching the outside interface of my Cisco ASA so they aren’t being translated properly by the Pepwave. Anyone have any ideas?
I even tried leaving my CenturyLink modem as the primary modem and putting WAN 1 on the 192.168.2.X subnet, hoping I could somehow redirect all of the public static IP traffic using IP forwarding but that didn’t work either.
To achieve this you will need to do the following:
Keep the modem in bridged mode with the PPPoE connection on WAN1 of the Balance.
Configure the additional public IP addresses on the WAN1 interface.
If you have 1-1 NAT mappings on your ASA for the computers to use unique outside IP addresses, simply do 1-1 NAT maps using the additional public IPs to the external IP addresses on the ASA.
Next you can control how this traffic is routed with outbound policy rules in the Balance.
I configured the Balance 20 to with PPPoE on WAN1 and configured the public IP addresses in WAN1s settings and setup 1-1 NAT on the BALANCE (I think that’s what you meant to say in step 3 of your reply) . I had to erase the Static commands on the ASA because the Balance didn’t know what to do with them when it saw them coming from the inside, I was using Statics on the ASA and not NAT which makes the traffic from the inside interface appear to be the public IP address from the outside.
With this configuration I was able to get internet traffic to pass on the PCs that had statics configured originally but even-though I setup both the inbound and outbound mappings of the NAT on the balance to reflect the public IP it appears that it is not translating the internal IP into the public IP that I need. Do I need to have IP Forwarding enabled for it to recognize my internal IPs? In other words my internal subnet is 192.168.1.0/24 but the outside interface (along with the Balance) subnet is 192.168.2.0/24. I have syslog running for my ASA, so I can see what’s happening on this end but I can’t tell what is happening on the Balance because the logging only appears to log WAN status changes.
Here is the example of the path from my Exchange server to the outside world:
Original Cisco ASA route: static (inside,outside) 70.x.x.50 192.168.1.200 netmask 255.255.255.255
Replaced Route with Balance NAT: LAN Client - 192.168.1.200 Inbound Mapping - (WAN1)70.x.x.50 Outbound Mapping - (WAN1)70.x.x.50
But when I pull up a browser in on 192.168.1.200 and go to whatismyip.com I get 70.x.x.54, which is the public address of WAN1 assigned by DHCP from the PPPoE connection.
By its name and brief description in the manual I would assume that IP forwarding was what I wanted but it obviously doesn’t work the way I would imagine because even when I have PC’s that masquerade as the public IP internally via Static routing with the ISP DNS servers statically assigned it is getting lost somewhere between the outside interface of the ASA and WAN1 on the Balance.
I’m probably making this more difficult than it has to be but I’m running into a brick wall no matter how I configure things.
I really think you need drop-in mode to accomplish what you are trying to do, and as you know this is not available on the Balance 20.
In your current implementation, the Cisco ASA will have no knowledge whatsoever of the 70.x.x.x network because those IP’s are being NAT’d on the Peplink.
I think I understand what you are trying to do and that is having your Exchange server traffic to be bound to one of your public IP’s. You can accomplish this but you will need to create two 1-1 NAT mappings, one on the Peplink and one on the ASA. On the Peplink you will create a mapping of 70.x.x.x to 192.168.2.4 and then on the ASA you will create a mapping of 192.168.2.4 to 192.168.1.200
Using NAT on the inside PCs to the outside interface and Balance subnet and then using NAT in the Balance from to redirect the inbound and outbound traffic with the public IPs did the trick. While this isn’t the cleanest setup it definitely works and keeps $1k in my pocket. Just in case anyone is referencing this for their own personal benefit the other missing piece of the puzzle I figured out yesterday was adding a static route from the balance to the outside interface for the 192.168.x subnet. Everything makes perfect sense after the fact but sometimes you have to go through a lot of doors before you get it right.
Thanks again for your help. I’ll probably be back here when I buy the 305 to install at my office. Although I’ll be able to use drop-in with that one.