cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1355
Views
0
Helpful
2
Replies

Dual ISP with NAT Trouble

I am hoping someone can throw me a life jacket on this small dilemma.  I am trying to configure dual ISPs with an ASA.  I have followed the guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml and the failover occurs seamlessly but I feel there is a step missing from the guide: dual NAT.

When the failover occurs traffic still dies at the ASA because it is unable to find a NAT pool for the backup ISP interface (and backup ISP IPs).  And, I have yet to find a way to program a second NAT rule that falls over to that backup interface when the primary outside fails.

Help would be greatly appreciated!

Below is a diagram of the layout with both ISP router and active/standby ASAs for your reference:

cisco question diagram.png

1 Accepted Solution

Accepted Solutions

With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.

That is also mentioned in the guide:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

2 Replies 2

With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.

That is also mentioned in the guide:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

That was it... I was trying to use two globals with different NAT IDs.  Just had to modify the backup one to use the same ID and it tested successfully.  Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: