02-28-2014 07:02 AM - edited 03-11-2019 08:51 PM
Hi
I need to configure a backup circuit using IP SLA, routes with metrics, static nat rules for VPNS and so on, and that all makes perfect sense.
I am however stuck on how I setup the dynamic NAT rules so that traffic from internal to Internet is natted to the backup ISP public IP addresses in the event of primary circuit outage.
The dynamic NAT rules are as follows:
object network XXX-CORP
nat (CORP_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx
object network XXX-WIFI
nat (WIFI_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx
object network XXX-PROD
nat (PROD_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx
object network XXX-DMZ
nat (DMZ_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx
object network XXX-OPS
nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx
I am guessing there is a way to add something like:
object network XXX-OPS
nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx
nat (OPS_RANGE,SECONDARY_ISP) dynamic 19x.1xx.3x.1xx secondary
Thanks in advance, and of course I will provide more info if required.
Dentist
03-02-2014 09:05 AM
Hi,
You essentially just add a new Dynamic PAT rule for each of the required local network towards the second ISP
The Routing and SLA configurations handle which interface and which Dynamic PAT is used.
Notice that you can not configure 2 "nat" configurations under a single "object". You will simply need to make 2 Dynamic PAT configurations for each of your internal networks.
You can naturally configure a single Dynamic PAT rule per ISP per ALL internal networks with the below configuration format
object-group network ISP1-PAT-SOURCE
network-object
network-object
network-object
nat (any,isp1) after-auto source dynamic ISP1-PAT-SOURCE interface
object-group network ISP2-PAT-SOURCE
network-object
network-object
network-object
nat (any,isp2) after-auto source dynamic ISP2-PAT-SOURCE interface
So looking at the above configuraitons you could simply configure all the internal networks under an "object-group" and then use that "object-group" in a "nat" configurations to do Dynamic PAT for all your internal networks towards one ISP. You could create the same type of configurations for the other ISP also.
And as I said before you can also simply configure Dynamic PAT with Auto NAT / Network Object NAT for each of the internal networks separately
For example
object network WIFI-ISP2-PAT
subnet
nat (WIFI_RANGE,SECONDARY_ISP) dynamic interface (or IP)
Hope this helps
Let me know how it goes.
- Jouni
03-03-2014 09:02 AM
Hi Jouni
Thanks for your answer, I had come to a similar conclusion with the after-auto after reading another of your threads but as yet I have not tested it. I will do in the next few days and will then update you.
Regards,
Paul
12-09-2014 11:15 PM
A few days turned into 9 months but got there in the end.
WAN failover (when using multiple NAT rules and VPN Tunnels) only works properly on ASA5512x and higher when using version 9.2(1) that supports event manager. configure a tracked route, SLA and Event manager actions that remove and add config when triggered.
Thanks
Dentist55
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide