Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
8
Replies

ASA 5505 WAN failover with NAT'ed and UnNAT'ed interfaces

atetu0488
Level 1
Level 1

‎06-05-2018 02:45 PM - edited ‎02-21-2020 07:51 AM

Hi all,

 

I have an ASA 5505 in my lab where I am trying to enable an IP SLA WAN failover between the primary ISP interface which is a NAT'ed interface and a failover interface that connects to another router that performs the NAT. Can you take a look at my config and let me know if I am missing anything?  Thanks

 

interface Vlan1
nameif inside
security-level 100
ip address 172.16.125.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.172.144.148 255.255.255.248
!
interface Vlan150
nameif failover
security-level 100
ip address 172.16.150.2 255.255.255.252

 

access-list no-nat-failover extended permit ip 172.16.125.0 255.255.255.0 any
access-list failover-acl extended permit ip any any

 

global (outside) 1 interface
nat (inside) 1 172.16.125.0 255.255.255.0
nat (failover) 0 access-list no-nat-failover
access-group inside-in in interface inside
access-group inside_access_out out interface inside
access-group failover-acl in interface failover

 

route outside 0.0.0.0 0.0.0.0 24.172.144.145 1 track 100
route failover 0.0.0.0 0.0.0.0 172.16.150.1 150

 

sla monitor 100
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
timeout 1000
threshold 5
frequency 15
sla monitor schedule 100 life forever start-time now

track 100 rtr 100 reachability

 

Labels:
0 Helpful
8 Replies 8

Bogdan Nita
VIP Alumni
VIP Alumni

‎06-06-2018 02:41 AM

Config looks ok to me. Did you test it and it's not working?

Here is a config guide for redundant links on 9.x asa:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

HTH

Bogdan

0 Helpful

atetu0488
Level 1
Level 1
In response to Bogdan Nita

‎06-06-2018 06:00 AM

Hi Bogdan,

 

Thanks for your reply. My first issue is that I have a server on the LAN and I cannot ping the ASA fail-over interface or the router that connects to the ASA. I ran two packet captures and I am only seeing traffic from the server on the inside interface and not the fail-over interface. 

 

Lab Server - 172.16.125.100

ASA inside - 172.16.125.254

ASA failover - 172.16.150.2

Failover router - 172.16.150.1

 

dct-lab-asa5505(config)# capture lab-capture interface failover match ip host 172.16.125.100 any
dct-lab-asa5505(config)# sh capture lab-capture
0 packet captured

dct-lab-asa5505(config)# capture lab-capture2 interface inside match ip host 172.16.125.100 any
dct-lab-asa5505(config)# sh capture lab-capture2

11 packets captured

1: 08:53:07.735496 802.1Q vlan#1 P0 172.16.125.100 > 172.16.150.2: icmp: echo request
2: 08:53:08.734855 802.1Q vlan#1 P0 172.16.125.100 > 172.16.150.2: icmp: echo request
3: 08:53:09.735069 802.1Q vlan#1 P0 172.16.125.100 > 172.16.150.2: icmp: echo request
4: 08:53:10.735099 802.1Q vlan#1 P0 172.16.125.100 > 172.16.150.2: icmp: echo request
5: 08:53:11.735084 802.1Q vlan#1 P0 172.16.125.100 > 172.16.150.2: icmp: echo request

 

I am not restricting any traffic on the failover interface and I also have the following enabled-

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to atetu0488

‎06-06-2018 06:15 AM - edited ‎06-06-2018 06:16 AM

Hi @atetu0488,

Pinging 172.16.150.2  from 172.16.125.100 will never work, it is just how asa functions.

Pinging 172.16.150.1  on the other hand should work or at least you should see the request going out on the failover interface.

Can you run the following command and post the output ?

packet-tracer input inside icmp 172.16.125.100 8 0 172.16.150.1

0 Helpful

atetu0488
Level 1
Level 1
In response to Bogdan Nita

‎06-06-2018 07:38 AM

Hi @Bogdan Nita,

 

Take a look below. I ran the commands two times. The first time was with the primary WAN circuit up and the second  time was after I disconnected that cable. The ASA should not NAT the traffic in a failover scenario and it should just forward it up to 172.16.150.1

 

dct-lab-asa5505# packet-tracer input inside icmp 172.16.125.100 8 0 172.16.150.1

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.150.0 255.255.255.252 failover

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit ip 172.16.125.0 255.255.255.0 any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 172.16.125.0 255.255.255.0
match ip inside 172.16.125.0 255.255.255.0 failover any
dynamic translation to pool 1 (No matching global)
translate_hits = 11889, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: failover
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

After I unplugged primary interface.

 

dct-lab-asa5505# packet-tracer input inside icmp 172.16.125.100 8 0 172.16.150$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.150.0 255.255.255.252 failover

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit ip 172.16.125.0 255.255.255.0 any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 172.16.125.0 255.255.255.0
match ip inside 172.16.125.0 255.255.255.0 failover any
dynamic translation to pool 1 (No matching global)
translate_hits = 12793, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: failover
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

dct-lab-asa5505# sh track 100
Track 100
Response Time Reporter 100 reachability
Reachability is Down
18 changes, last change 00:04:19
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0

 

Gateway of last resort is 172.16.150.1 to network 0.0.0.0

C 172.16.150.0 255.255.255.252 is directly connected, failover
C 172.16.125.0 255.255.255.0 is directly connected, inside
S 8.8.4.4 255.255.255.255 [1/0] via 172.16.150.1, inside
S* 0.0.0.0 0.0.0.0 [150/0] via 172.16.150.1, failover

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to atetu0488

‎06-07-2018 11:45 PM

It looks like the nat config is the problem, I haven't seen pre 8.3 nat for a while, but I think the problem is that the nat 0 should be applied to the inside interface:
no nat (failover) 0 access-list no-nat-failover

nat (inside) 0 access-list no-nat-failover

 

HTH

Bogdan

0 Helpful

atetu0488
Level 1
Level 1
In response to Bogdan Nita

‎06-08-2018 08:40 AM

Hi @Bogdan Nita

 

I updated the ASA firmware from 8.2.(1) to 9.2(2) and I made some progress. I am now able to route the LAN traffic un-nated over to the failover device that handles the NAT as expected. The issue I am having now is making the ASA recover route and NAT tasks of the LAN traffic when the primary link is active again.

 

dct-lab-asa5505# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (failover) source static obj-172.16.125.0 obj-172.16.125.0 destination static obj-any obj-any
translate_hits = 413, untranslate_hits = 630
Source - Origin: 172.16.125.0/24, Translated: 172.16.125.0/24
Destination - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-test-server-lan 24.172.144.147
translate_hits = 0, untranslate_hits = 39
Source - Origin: 172.16.125.100/32, Translated: 24.172.144.147/32
2 (inside) to (outside) source dynamic obj-172.16.125.0 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.125.0/24, Translated: 24.172.144.148/29

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to atetu0488

‎06-11-2018 01:02 AM

Hi @atetu0488,

In the identity nat command try adding no-proxy-arp route-lookup.

Is the route pointing to outside when the outside interface is up ?

0 Helpful

atetu0488
Level 1
Level 1
In response to Bogdan Nita

‎06-11-2018 01:45 PM

Hi @Bogdan Nita

 

I moved my NAT statements around and everything seems to be working as expected now. I placed the 1:1 NAT first and then I added after-auto in my manual NAT to make it less preferred than the dynamic auto NAT. 

 

object network obj-test-server-lan
nat (inside,outside) static 24.172.144.147

object network obj-172.16.125.0
nat (inside,outside) dynamic interface

nat (inside,failover) after-auto source static obj-172.16.125.0 obj-172.16.125.0 destination static obj-any obj-any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card