Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1836
Views
5
Helpful
8
Replies

Cisco ASA 5520 - Dual outbound NAT

Go to solution
Kuzuri
Level 1
Level 1

‎07-27-2018 04:26 PM - edited ‎02-21-2020 08:01 AM

Is it possible to have two different outbound links and NAT them based on VLAN on a ASA 5520?

 

I have 3 VLANs trunked to the ASA in a router-on-a-stick design and two links to the Internet.  I'm trying to NAT 2 of the VLANs out the second outbound interface, but it won't work.  However, if I NAT out of the first everything works perfectly fine:

 

nat (inside,outside) dynamic interface
nat (vlan10,outside) dynamic interface
nat (vlan20,outside) dynamic interface

But as soon as I change it to outside2 outbound connections stop working:

 

nat (inside,outside) dynamic interface
nat (vlan10,outside2) dynamic interface
nat (vlan20,outside2) dynamic interface

Are you allowed to have 2 outbound interfaces on an ASA and can you NAT through them?  If so, can you spot what I am doing wrong?

 

Thank you!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Kuzuri

‎07-31-2018 06:41 PM

No other way. Without PBR, you can, however, do some kind of stuff but not exactly what you want.
Take a look here for examples: https://community.cisco.com/t5/security-documents/dual-isp-implementation-on-asa/ta-p/3144475

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-27-2018 04:37 PM

We are not sure what is VLAN 10 and VLAN 20 IP ?

Can we have 3 VLAN IP address and full configuration to review.

 

Are you looking to setup failover link ? what is the goal of 2 ISP link ?

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-27-2018 09:04 PM

Hi

Yes you can have 2 outbound interfaces. Based on your description, I believe your outside zone is the default route which explain why vlan 10 and 20 are working when Nat is done on outside.
If you want to nat using outside2 for vlan10 and vlan20, you would need to configure PBR.
You can take a look here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

This feature needs a minimum version of software.

If you want us to build the PBR, we will require more details like subnets of vlan10 and vlan20, does any traffic from these vlans has to go out through outside2?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Kuzuri
Level 1
Level 1
In response to Francesco Molino

‎07-31-2018 02:48 PM

I was afraid of that. My Cisco 5520 doesn't support PBR. Is there no way to
do it without PBR?
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Kuzuri

‎07-31-2018 06:41 PM

No other way. Without PBR, you can, however, do some kind of stuff but not exactly what you want.
Take a look here for examples: https://community.cisco.com/t5/security-documents/dual-isp-implementation-on-asa/ta-p/3144475

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Kuzuri
Level 1
Level 1
In response to Francesco Molino

‎08-01-2018 10:26 AM

Thank you, this might actually work in this situation.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Kuzuri

‎08-01-2018 03:07 PM

OK no problem. If you need more assistance let us know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to Kuzuri

‎08-01-2018 09:43 AM

Hello, there is a way to do it by working with Traffic Zones, which is introduced on ASA code 9.3, however, the ASA5520 supports only up to 9.1 ASA code.

 

The ISP SLA option already given to you will work as well but will be only on a link failover basis.

 

It depends on if you need to work with 2 active Internet links or 1 active and a standby internet link.

 

I leave you here the information about traffic zones: https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html 

0 Helpful

Go to solution
Kuzuri
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎08-01-2018 10:23 AM

Unfortunately for my situation I needed two active links and traffic sent based on their originating VLAN/network.

 

However, now that I've glanced over the traffic zones post I might be able to work with that since I know what ports that I will be working with.

 

If that becomes too cumbersome I think I'll pull everything back and route it with the layer 3 switch.  That should take care of it, but it'll just make things a little more difficult for the hosts that needed to be in the dmz.

 

That is something that I will have to weigh and decide if the pros outweigh the cons. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card