Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
5
Helpful
2
Replies

Dynamic Policy PAT Issue

Go to solution
CSCO11789983
Level 1
Level 1

‎11-09-2015 04:39 AM - edited ‎03-11-2019 11:51 PM

Guys, I'm having an issue with a configuration and need your help solving it, maybe even a whole new point of view. I need to create a  VPN back to one data provider and basically I have to PAT a whole subnet behind a public ip different from the (ASA 5512X 9.1.6) interface. We have two ISP providers locally, using a simple track feature we failover between the primary ("outside" interface) and the secondary ("backup" interface). We are using next config:

object network SOURCE_SUBNET
subnet 192.168.1.0 255.255.255.0

object network DESTINATION_SUBNET
subnet 10.10.10.10 255.255.255.0

object network PRIMARY_PUBLIC_IP
host 1.1.1.1
object network SECONDARY_PUBLIC_IP
host 2.2.2.2

access-list outside_cryptomap_1 extended permit ip PRIMARY_PUBLIC_IP DESTINATION_SUBNET
access-list backup_cryptomap_1 extended permit ip SECONDARY_PUBLIC_IP DESTINATION_SUBNET

nat (inside,outside) source dynamic SOURCE_SUBNET PRIMARY_PUBLIC_IP destination static DESTINATION_SUBNET DESTINATION_SUBNET
nat (inside,backup) source dynamic SOURCE_SUBNET SECONDARY_PUBLIC_IP destination static DESTINATION_SUBNET DESTINATION_SUBNET

The normal traffic going under normal conditions through the primary ISP has no problems. The real issue here is when we failover to the secondary ISP, the traffic is still diverted to the outside interface, mainly I guess, because of the NAT kind of "ACL match type" for sections 1 and 3, the first matched statement is pointing (inside,outside). If I invert the order of the statements the VPN goes up on the secondary without any problems.

Now, if I use (inside,any) I force the route lookup, the traffic is correctely diverted to the actual used interface, but the PAT itself is still being pointed to the primary public ip.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-10-2015 01:24 AM

Hi there,

Yes, you are facing the expected situation. However there is a feature eem scripts which has been added from version 9..2.1(upgrade the ASA). It removes the first statement from the configuration once your premiary link goes down in SLA. It does this by tracking one specific syslog id. Go through the link below :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

Hope it helps.

Regards,

Akshay Rastogi

Remember to mark the answer as correct if it answers your query or rate the helpful posts.

View solution in original post

2 Replies 2

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎11-10-2015 01:24 AM

Hi there,

Yes, you are facing the expected situation. However there is a feature eem scripts which has been added from version 9..2.1(upgrade the ASA). It removes the first statement from the configuration once your premiary link goes down in SLA. It does this by tracking one specific syslog id. Go through the link below :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

Hope it helps.

Regards,

Akshay Rastogi

Remember to mark the answer as correct if it answers your query or rate the helpful posts.

Go to solution
CSCO11789983
Level 1
Level 1

‎11-10-2015 12:04 PM

Hi Akshay, thanks for the heads up, I will try this!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card