Solved: Re: Dynamically NAT inside address out redundant internet

Travis-Fleming · ‎01-29-2020

Hello, we have two internet connections terminated on our 5506-X FTD managed through our FMC. Connected to our FTD is a Cisco 4331 router we are doing a DMVPN connection over the primary internet connection to our corporate HQ. The tunnel source interface of that router is 172.29.3.1. We currently have NAT rules in place that will NAT 172.29.3.1 traffic out our primary internet. We have two default routes on the FTD using an SLA and metrics. If the Primary internet goes down, it auto-fails over to the secondary one.

What we need assistance with, is the ability to have the FTD dynamically NAT the 172.29.3.1 LAN IP out the secondary internet connection in the event the primary internet sla fails and we are in a failover event.

Attached is a screenshot of our current NAT. The Primary internet connection is in security zone "RemoteSite_Public", and our secondary internet connection security zone is "RemoteSite_Public2".

Is it as easy as adding a duplicate NAT rule below the ones we have in place that say RemoteSite_Public2?

We realize when the internet switches over on our HQ DMVPN concentrater we'll need to clear Crypto keys in light of the new public IP the requests are coming from.

I also posted this (only more long winded) under the routing section, but I think it's more related to the FTD then anything. Here is a link to that post: https://community.cisco.com/t5/routing/assistance-with-dmvpn-through-ftd-with-two-internet-connections/m-p/4020514#M328560

Rob Ingram · ‎01-29-2020

Upon failover a new connection via the new outbound interface would create a new connection/xlate entry, the old connections would just timeout after 30 seconds.

FYI, you don't need to place the new NAT rules after-auto, the ASA would determine the route before natting, so the ASA would know which is the outbound interface and match the correct NAT rule.

View solution in original post

Rob Ingram · ‎01-29-2020

Hi,
Yes, define an additional NAT rule from SRC interface "RemoteSite_Internal" to DST interface "RemoteSite_Public2", once IP SLA removes the existing default route going via "RemoteSite_Public" the traffic will then use the new default route and match the new NAT rule via "RemoteSite_Public2".

HTH

Travis-Fleming · ‎01-29-2020

Thank you for the reply. Would any xlate NAT translations on the device be cleared at that point then? Attached is a rough draft of what I think the solution would be. I added all the rules to the NAT Rules After section.

Rob Ingram · ‎01-29-2020

Upon failover a new connection via the new outbound interface would create a new connection/xlate entry, the old connections would just timeout after 30 seconds.

FYI, you don't need to place the new NAT rules after-auto, the ASA would determine the route before natting, so the ASA would know which is the outbound interface and match the correct NAT rule.

Travis-Fleming · ‎01-29-2020

Gotcha! Thank you!

Travis-Fleming · ‎01-29-2020

I get an error on the dynamic part stating "the auto nat rule with original source already exists. Duplicate Auto NAT rule is not allowed". Should I add them to the nat rules after maybe? This was when adding the source internal destination public2 dynamic auth nat rule.

Travis-Fleming · ‎01-29-2020

It let me create the attached NAT Rules After, but when I try and make it an auto NAT Rule, that's when it gives me the duplicate error message, even though destination is RemoteSite_Public2. Thoughts? Would this work to NAT overload on the wan2 interface?