asa 9.3.1 - issue - nat - single real ip and 2 mapped ip

Eby Mani · ‎12-01-2014

I'm having a strange issue with ASA 9.3.1 on 5515-X.

A vpn device is connected inside LAN and is natted to 2 different public IPs. The problem is that when the primary isp fails and comes back, the remote side is unable to connect to the vpn device thru primary isp(unable to ping) all remaining nats work without any issue.

Traffic is permitted for VPN device in ACLs for ISP_1, ISP_2 interfaces and inside_access_in

Apart from this tracking is enabled for ISP_1 & ISP_2.

*****************************
object network VPN-LAN-Ip
host 172.16.200.270

object network VPN-Public-IP-ISP_1
host 10.200.250.10

object network VPN-Public-IP-ISP_1
host 192.200.250.10

nat (inside,isp_1) source static VPN-LAN-Ip VPN-Public-IP-ISP_1
nat (inside,isp_2) source static VPN-LAN-Ip VPN-Public-IP-ISP_2
*******************************

Am i missing something ?. i even tried creating second object name for use with isp_2 and used with nat.

Murali · ‎12-02-2014

Hi ,

How is your vpn configured what is the peer address for your remote client ?

Eby Mani · ‎12-04-2014

Hi,

VPN initiates site-to-site tunnel to the other end. Both ends private IP is mapped to the VPN box and only server traffic goes thru the tunnel.

NAT on ASA to the real ip works well when testing in lab setup, even with physically un/plugging the cable.

Murali · ‎12-06-2014

hi can you post your asa config related to vpn setup , route configurations and nat config that is relevant.

I hope this link is helpful for you

https://supportforums.cisco.com/blog/150001/ipsec-vpn-redundancy-failover-over-redundant-isp-links

Thanks

Murali