FTD/ASA Nat behavior w/ multiple ISPs

mumbles202 · ‎08-05-2020

So just a quick question on what the expected behavior should be w/ the following configuration (ISP1 is primary, ISP2 should be secondary)

object network obj-test-subnet

subnet 192.168.10.0 255.255.255.0

object network obj-test-private

host 192.168.10.25

object network obj-test-public

host 10.0.0.8

object network obj-test-subnet
nat (inside,ISP1) dynamic interface

object network obj-test-private

nat (inside,ISP2) static obj-test-public

route ISP1 0.0.0.0 0.0.0.0 10.1.1.1 track 10

route ISP2 0.0.0.0 0.0.0.0 10.0.0.1 200

When both ISPs are active should obj-test-private match the dynamic nat and go out as the interface ip of ISP1? Seeing behavior that when both ISPs are up the device w/ the NAT has no internet until I delete the NAT statement. Other devices in the test vlan have internet w/o any issues but the 1 w/ the NAT for ISP2 is having an issue.

Mohammed al Baqari · ‎08-05-2020

Here is a working example. Make sure that your track object is working fine.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

**** please remember to rate useful posts

mumbles202 · ‎08-06-2020

thanks for the response. So the failover is working fine. If ISP1 goes down clients failover and go out ISP2. My concern is when ISP1 has a track that is up, all the clients but the client w/ the explicit nat for ISP2 have internet. I'm just wondering why that is as I read the nat statement for that host to be when the source interface is the inside and the egress interface is ISP2 it should perform a nat to the public defined on ISP2. Otherwise, in the case that the traffic is egressing out ISP1, it should match the nat to the interface ip for ISP1. I thought an inbound connection over ISP2 to the server would continue to work as the ASA would use the connection table and send that traffic back out ISP2 but any new connections from the server should go out ISP1 by default?

mumbles202 · ‎08-12-2020

Just wondering if anyone might have any insight into why this is?

Rob Ingram · ‎08-12-2020

What is the order of your nat rules? Run "show nat detail".

In your scenario 10.0.0.8 is representing a public IP address, upstream the ISP router would know to route that traffic only via ISP2....unless you are failing this public IP over to ISP1?

mumbles202 · ‎08-12-2020

Thanks for the response. Yes, ISP1 and ISP2 have public ip addresses, i just used 10.0.0.8 to represent a public. Here's basically what I'm trying to have (setup on a test ASA):

ciscoasa# sh run nat
!
object network Guest_Wireless
 nat (inside,ISP1) dynamic interface
object network Test_VM
 nat (inside,ISP1) static 2.3.3.5
object network test_private
 nat (inside,ISP2) static 10.0.0.8
object network obj-any
 nat (inside,ISP1) dynamic interface
ciscoasa#


ciscoasa# sh nat detail

Auto NAT Policies (Section 2)
1 (inside) to (ISP2) source static test_private 10.0.0.8
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.45.25.100/32, Translated: 10.0.0.8/32
2 (inside) to (ISP1) source static Test_VM 2.3.3.5
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.45.25.200/32, Translated: 2.3.3.5/32
3 (inside) to (ISP1) source dynamic Guest_Wireless interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.45.211.0/24, Translated: 10.10.10.1/24
4 (inside) to (ISP1) source dynamic obj-any interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 0.0.0.0/0, Translated: 10.10.10.1/24
ciscoasa#

I want test_private to nat to 10.0.0.8 only if the track for ISP1 is down and the traffic is going out ISP2. All other times it should get nat'ed to the interface ip of ISP1 as if it were any other host on the LAN.