topic Re: NAT issue with IPSEC Failover in Network Security

NAT issue with IPSEC Failover

NETAD — Fri, 21 Feb 2020 15:02:11 GMT

Hello, how can I get the static nat statements to dynamically shift when an IPsec tunnel is down and let the ASA not use it?

Re: NAT issue with IPSEC Failover

Marvin Rhoads — Wed, 27 Dec 2017 16:27:12 GMT

They won't dynamically shift.

Generally speaking static NAT statements would implement NAT exemption for VPN tunnels. If the tunnel is down (either its primary peer address or a backup) then you should not be able to reach the remote networks. So the fact that the original NAT statement is still applied is moot.

If you're using it differently, please explain and perhaps we can offer a more precise explanation.

Re: NAT issue with IPSEC Failover

NETAD — Wed, 27 Dec 2017 16:37:57 GMT

so here's the nat statements. The ASA is directly connected to the mpls and internet circuit. When the mpls circuit goes down(tracked by IP SLA and Tracking), the ASA uses its default route to create an ipsec tunnel over the internet circuit but the first nat statement keep getting hit and so the tunnel won't get established.

nat (Inside,Mpls) source static LOCAL LOCAL destination static REMOTE REMOTE
nat (Inside,Outside) source static LOCAL LOCAL destination static REMOTE REMOTE

Re: NAT issue with IPSEC Failover

Marvin Rhoads — Thu, 28 Dec 2017 05:10:43 GMT

The way you have it should work if your routing and the tracking is all correctly in place.

Have you confirmed that the path to the remote subnets is using the default route? If it is, and when that default flips to the alternate path, routing in the ASA should tell it to use the alternate egress interface and thus the alternate NAT statement would be in effect.

I’ve setup several using that logic and they work just fine.

Re: NAT issue with IPSEC Failover

NETAD — Thu, 28 Dec 2017 06:27:40 GMT

Yes routing is getting updated once the tracking is down but for some reason not the NAT. Isn’t NAT processed first before routing on a ASA? On a side note, I am doing thing on ASAv before applying the config to my client’s ASA. Would it behave differently on a virtual appliance?

Re: NAT issue with IPSEC Failover

Marvin Rhoads — Thu, 28 Dec 2017 06:38:06 GMT

While NAT is, in general, processed before routing there is a partial routing step to lookup the destination interface when checking the NAT rule.

This is should be the same on ASAv as on a physical appliance.

Re: NAT issue with IPSEC Failover

Marius Gunnerud — Thu, 28 Dec 2017 07:28:47 GMT

try adding the route-lookup keyword to the end of your NAT statements. This will force the NAT statements to follow the routing table and not override the routing table.

Re: NAT issue with IPSEC Failover

Marvin Rhoads — Thu, 28 Dec 2017 08:00:57 GMT

That's a good suggestion Marius. I agree.

Re: NAT issue with IPSEC Failover

NETAD — Thu, 28 Dec 2017 14:35:11 GMT

Worked like magic!! Thanks Marius.