topic NATing for outside & backup but only to specific destinations in asa911-k8 in Network Security

NATing for outside & backup but only to specific destinations in asa911-k8

Dean Romanelli — Tue, 12 Mar 2019 07:31:19 GMT

Hi All,

Having a very frustrating problem that would be easy if this was 8.2, but it is 9.1, and was hoping to get some assistance. So I have a site that has an ASA 5505 running code asa911-k8. The site has two ISP lines; One for outside, one for backup. We VPN all site traffic back to our data center for centralized internet services, except for VOIP, which we allow to break out locally at the site. So since our data center ultimately delivers the site it's internet service over the VPN, We do not NAT on the branch ASA except for the LAN-to-VOIP flow. Originally I had the following configured:

object-group network VOIP
network-object 194.xx.xx.0 255.255.255.0
network-object 194.xx.xx.0 255.255.255.0
network-object 63.xxx.xx.0 255.255.255.0
network-object 8.x.xxx.0 255.255.255.0
network-object 8.xx.x.0 255.255.252.0

nat (inside,outside) source dynamic any interface destination static VOIP VOIP
nat (inside,backup) source dynamic any interface destination static VOIP VOIP

However, since 8.3+ changed everything, the above is now evaluated like an access-list. So while the connection is on the primary (outside), this works fine, but when the backup connection is active, the phones don't work, because the first nat (inside,outside) line above always matches for this flow, whether outside is down or not. I have to manually remove the inside,outside nat statement so that the inside,backup line appears first in the list to restore VOIP services while the site is on backup circuit.

How can I configure two NAT statements for only the flow from LAN to VOIP provider so that outside and backup will work without the need to manually remove the inside,outside NAT line every time there is an ISP failure and the site switches to backup circuit?

Hi Dean,

Aditya Ganjoo — Mon, 21 Mar 2016 12:59:23 GMT

Hi Dean,

Could you please add route-lookup keyword on both the NAT statements and then test ?

Regards,

Aditya

Please rate helpful posts.

Hi Aditya,

Dean Romanelli — Mon, 21 Mar 2016 22:29:52 GMT

Hi Aditya,

Thanks for replying. It looks like I don't have that command available to me. Please see below:

FW14FortWayne-SH5505(config)# $ nat (inside,outside) source dynamic any interface destination static VOIP VOIP ?

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
net-to-net Net to net mapping of IPv4 to IPv6
service NAT service parameters
<cr>

It appears to be the "dynamic

Dean Romanelli — Tue, 22 Mar 2016 13:21:03 GMT

It appears to be the "dynamic" keyword that is preventing me from using the "route-lookup" command. If I change that to static, I am able to use the route-lookup command. However, I don't know what kind of behavior will be seen for the phones if I change that.

FW14FtWayne-SH5505(config)# nat (inside,outside) source static any interface destination static VOIP VOIP ?

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
net-to-net Net to net mapping of IPv4 to IPv6
no-proxy-arp Disable proxy ARP on egress interface
route-lookup Perform route lookup for this rule
service NAT service parameters
unidirectional Enable per-session NAT

What if I create an object group specifying my LAN subnet and use that instead of "any" in the source? Would that allow me to use the static keyword in the source successfully and ultimately allow the use of route-lookup? Or would "interface" also need to be changed to a static external address in the NAT statement?

How about

Peter Koltl — Fri, 25 Mar 2016 06:56:24 GMT

How about

nat (inside,any) ...

Hi Dean,

Aditya Ganjoo — Fri, 25 Mar 2016 09:47:05 GMT

Hi Dean,

Can you share the output of show run route ?

Also are we using any IP SLA to track the interfaces ?

Regards.

Aditya

Please rate helpful posts.

Success, Dean?

Peter Koltl — Tue, 12 Apr 2016 21:00:32 GMT

Success, Dean?

Hi All,

Dean Romanelli — Thu, 04 Aug 2016 18:03:13 GMT

Hi All,

Sorry so late. inside,any appears to work, as long as the route lookup will be performed by default even though I cannot specify it via the command.

Actually, I take that back.

Dean Romanelli — Thu, 04 Aug 2016 19:28:16 GMT

Actually, I take that back. Trying "any" I get the following:

ciscoasa(config-network-object)# nat (any,any) after-auto source static ALL-VO$
ERROR: "interface" keyword is not allowed when translated interface is any