08-20-2012 10:15 AM - last edited on 03-25-2019 05:49 PM by ciscomoderator
I am hoping someone can throw me a life jacket on this small dilemma. I am trying to configure dual ISPs with an ASA. I have followed the guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml and the failover occurs seamlessly but I feel there is a step missing from the guide: dual NAT.
When the failover occurs traffic still dies at the ASA because it is unable to find a NAT pool for the backup ISP interface (and backup ISP IPs). And, I have yet to find a way to program a second NAT rule that falls over to that backup interface when the primary outside fails.
Help would be greatly appreciated!
Below is a diagram of the layout with both ISP router and active/standby ASAs for your reference:
Solved! Go to Solution.
08-20-2012 02:17 PM
With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.
That is also mentioned in the guide:
global (outside) 1 interface global (backup) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0
For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2012 02:17 PM
With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.
That is also mentioned in the guide:
global (outside) 1 interface global (backup) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0
For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2012 03:08 PM
That was it... I was trying to use two globals with different NAT IDs. Just had to modify the backup one to use the same ID and it tested successfully. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide