Dynamic Policy PAT Issue

CSCO11789983 — Tue, 12 Mar 2019 06:51:01 GMT

Guys, I'm having an issue with a configuration and need your help solving it, maybe even a whole new point of view. I need to create a VPN back to one data provider and basically I have to PAT a whole subnet behind a public ip different from the (ASA 5512X 9.1.6) interface. We have two ISP providers locally, using a simple track feature we failover between the primary ("outside" interface) and the secondary ("backup" interface). We are using next config:

object network SOURCE_SUBNET
subnet 192.168.1.0 255.255.255.0

object network DESTINATION_SUBNET
subnet 10.10.10.10 255.255.255.0

object network PRIMARY_PUBLIC_IP
host 1.1.1.1
object network SECONDARY_PUBLIC_IP
host 2.2.2.2

access-list outside_cryptomap_1 extended permit ip PRIMARY_PUBLIC_IP DESTINATION_SUBNET
access-list backup_cryptomap_1 extended permit ip SECONDARY_PUBLIC_IP DESTINATION_SUBNET

nat (inside,outside) source dynamic SOURCE_SUBNET PRIMARY_PUBLIC_IP destination static DESTINATION_SUBNET DESTINATION_SUBNET
nat (inside,backup) source dynamic SOURCE_SUBNET SECONDARY_PUBLIC_IP destination static DESTINATION_SUBNET DESTINATION_SUBNET

The normal traffic going under normal conditions through the primary ISP has no problems. The real issue here is when we failover to the secondary ISP, the traffic is still diverted to the outside interface, mainly I guess, because of the NAT kind of "ACL match type" for sections 1 and 3, the first matched statement is pointing (inside,outside). If I invert the order of the statements the VPN goes up on the secondary without any problems.

Now, if I use (inside,any) I force the route lookup, the traffic is correctely diverted to the actual used interface, but the PAT itself is still being pointed to the primary public ip.

Thanks in advance!

Hi there,

Akshay Rastogi — Tue, 10 Nov 2015 09:24:15 GMT

Hi there,

Yes, you are facing the expected situation. However there is a feature eem scripts which has been added from version 9..2.1(upgrade the ASA). It removes the first statement from the configuration once your premiary link goes down in SLA. It does this by tracking one specific syslog id. Go through the link below :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

Hope it helps.

Regards,

Akshay Rastogi

Remember to mark the answer as correct if it answers your query or rate the helpful posts.

Hi Akshay, thanks for the

CSCO11789983 — Tue, 10 Nov 2015 20:04:21 GMT

Hi Akshay, thanks for the heads up, I will try this!

topic Hi there, in Network Security

Dynamic Policy PAT Issue

Hi there,

Hi Akshay, thanks for the