Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
937
Views
0
Helpful
5
Replies

ASA 5510 Dual ISP, one routed one NAT

rmoisio224
Level 1
Level 1

‎10-08-2013 05:48 AM - edited ‎03-11-2019 07:48 PM

Hello,

I am trying to figure out the proper configuration for ISP failover on my ASA 5510, here is my senario:

Currently our primary ISP link is being provided by a consotium for schools so we have no public ip address on the outside interface of the ASA. The firewall is acting as a router, with no nat function on that link. We wanted to create a failover link to our cable provider which will give us a public ip on the second outside interface of the firewall, and I have it natted to the inside interface. When i set up SLA and the first routed link fails, it fails over to the natted link perfectly and i can see the nat translations. When SLA fails over again to the primary link the nat translations are not removed and internet access breaks until i remove the nat statements and clear xlate. If anybody has insight on this, or a possible workaround, your input will be greatly appreciated as my head hurts from banging it into a wall.

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-08-2013 08:36 AM

Hello Ryan,

What version are you running on the ASA?

What about timeout floating-conn

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com


Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Patrick Moubarak
Level 4
Level 4

‎10-08-2013 08:21 PM

you could also try to create an identity NAT instead of NONAT if you are running the older codes 8.2 and below... the difference is that one NATs the IP to itself and the latter bypasses the NAT process completely...

Patrick

0 Helpful

swapneswar panda
Level 1
Level 1

‎10-14-2013 09:57 AM

I believe you need to check your tracking. Not sure how do u track it for your SLA.

Thanks

swap

0 Helpful

lcambron
Level 3
Level 3

‎10-14-2013 10:18 AM

Hello Ryan,

I would agree with Julio on this one:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc8549.shtml

Regards,

Felipe.

0 Helpful

Arun Nair
Level 1
Level 1

‎10-15-2013 08:25 AM

Hello Ryan,

Could you please post the configuration for us?

Best

Arun

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card