topic A few days turned into 9 in Network Security

Dynamic NAT rules for backup ISP circuit

Paul Monteith — Tue, 12 Mar 2019 03:51:42 GMT

I need to configure a backup circuit using IP SLA, routes with metrics, static nat rules for VPNS and so on, and that all makes perfect sense.

I am however stuck on how I setup the dynamic NAT rules so that traffic from internal to Internet is natted to the backup ISP public IP addresses in the event of primary circuit outage.

The dynamic NAT rules are as follows:

object network XXX-CORP

nat (CORP_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-WIFI

nat (WIFI_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-PROD

nat (PROD_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-DMZ

nat (DMZ_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-OPS

nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

I am guessing there is a way to add something like:

object network XXX-OPS

nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

nat (OPS_RANGE,SECONDARY_ISP) dynamic 19x.1xx.3x.1xx secondary

Thanks in advance, and of course I will provide more info if required.

Dentist

Dynamic NAT rules for backup ISP circuit

Jouni Forss — Sun, 02 Mar 2014 17:05:27 GMT

Hi,

You essentially just add a new Dynamic PAT rule for each of the required local network towards the second ISP

The Routing and SLA configurations handle which interface and which Dynamic PAT is used.

Notice that you can not configure 2 "nat" configurations under a single "object". You will simply need to make 2 Dynamic PAT configurations for each of your internal networks.

You can naturally configure a single Dynamic PAT rule per ISP per ALL internal networks with the below configuration format

object-group network ISP1-PAT-SOURCE

network-object

nat (any,isp1) after-auto source dynamic ISP1-PAT-SOURCE interface

object-group network ISP2-PAT-SOURCE

network-object

nat (any,isp2) after-auto source dynamic ISP2-PAT-SOURCE interface

So looking at the above configuraitons you could simply configure all the internal networks under an "object-group" and then use that "object-group" in a "nat" configurations to do Dynamic PAT for all your internal networks towards one ISP. You could create the same type of configurations for the other ISP also.

And as I said before you can also simply configure Dynamic PAT with Auto NAT / Network Object NAT for each of the internal networks separately

For example

object network WIFI-ISP2-PAT

subnet

nat (WIFI_RANGE,SECONDARY_ISP) dynamic interface (or IP)

Hope this helps

Let me know how it goes.

- Jouni

Dynamic NAT rules for backup ISP circuit

Paul Monteith — Mon, 03 Mar 2014 17:02:26 GMT

Hi Jouni

Thanks for your answer, I had come to a similar conclusion with the after-auto after reading another of your threads but as yet I have not tested it. I will do in the next few days and will then update you.

Regards,

Paul

A few days turned into 9

Paul Monteith — Wed, 10 Dec 2014 07:15:32 GMT

A few days turned into 9 months but got there in the end.

WAN failover (when using multiple NAT rules and VPN Tunnels) only works properly on ASA5512x and higher when using version 9.2(1) that supports event manager. configure a tracked route, SLA and Event manager actions that remove and add config when triggered.

Thanks

Dentist55