ASA NAT external IP to 2 internal IPs in failover mode

I have a server in our DMZ that is currently NATed to an external IP. Everything works fine.

We need to add a second server in passive failover mode in the DMZ.

If the currently NATed server fails, the second one takes over, but has a different IP address. Is there a way to track if node 1 is no longer there and update the NAT rule to point to node 2? This is on an ASA 5520 box.



To my understanding you wont be able to do Static NAT atleast from one Public to two local IP address

If the only concern was outbound connections then you could naturally PAT them to the same IP address.

I dont think this can be done with the ASA. I imagine the servers should be visible from the same IP address even if it failed over (just like the ASA Failover) so that there would be no need for the ASA to react to the failover of the servers.

At the moment atleast I cant see a way to do this on ASA.

- Jouni


I know I can't NAT this way simultaneously, it's more of a way to track and switch settings on the fly if need be that I'm looking at... I wish the application was smarter and allowed a "cluster" IP or that the failover would take over the failed node's IP but no...


The ASA can only manipulate its own routing table according to the SLA/track configuration to my understanding.

I dont know of a way that tie any SLA operation to removing/disabling a NAT configuration.

I heard that the ASA might be getting the possibility to create scripts the same way you can do on Cisco Routers for example. I would imagine this might give some possibilities since for example in Cisco Routers you can monitor for a certain log message and issue commands on the basis of this. (The device itself does this through the script)

At the same time I have to say I have not built any such scripts myself so I am not the correct person to comment on what you can actually do with them.

But I am not sure when they are even going to realese this functionality on the ASA and to what it can actually do or made to do.

We had one bug situation worked around on a 3G router with such script. We had to have the script shutdown and no shutdown the interface right during the boot (or rather right after it) according to one log message during boot and this enabled the Cellular interface correctly. Otherwise it didnt work because of a bug.

I would imagine such possibility would let you use SLA to track a server IP address on the ASA and when the server is not reachable anymore you might be able to have the ASA remove a NAT configurations and enter a new for the other server.

I am really hoping this scripting is coming to ASA.

- Jouni