Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
0
Helpful
1
Replies

Dual ISP and inbound NAT ASA5505 8.2

roger perkin
Level 2
Level 2

‎10-31-2012 05:24 PM - edited ‎03-11-2019 05:17 PM

I have setup an ASA5505 running 8.2 with dual ISP's

Primary link is the current live static route out and the backup picks up if the primary fails.

That all works great

However I have an issue with inbound NAT rules

I have configured an inbound static on the primary which works great

static (inside,primary) *.*.*.* 10.1.1.1 netmask 255.255.255.255

access-list outside_access_in line 2 extended permit tcp any host *.*.*.* eq 3389 (hitcnt=4)

Question?

With the primary link active and the default route pointing out through the primary, am I able to configure an inbound NAT to the same inside host 10.1.1.1

on the backup link?

If the primary fails users will need to be able to connect inbound to this service

When I try to set it up I got this error

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

So I tried that and got this error

WARNING: All traffic destined to the IP address of the backup interface is being redirected.

WARNING: Users will not be able to access any service enabled on the backup interface.

So what is the best practice for configuring inbound NAT for a dual ISP configured ASA

Any help much appreciated

Roger

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-31-2012 05:37 PM

Hello Roger,

With the primary link active and the default route pointing out through the primary, am I able to configure an inbound NAT to the same inside host 10.1.1.1

on the backup link?

You can have it configured but it will not work until the secondary or backup link is up and ready to go

Now the configuration is the same one as the primary

static (inside,outside) tcp interface 80 192.168.12.2 80

static (inside,backup) tcp interface 80 192.168.2.2 80

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card