I want to use that NAT so for the client, the destination and source address do not change.

As our customers use firewalls for incoming and outgoing traffic.

The DNS mapping thing, you mean port address translation ? Then the same issue arises for returning traffic isn't it ?

Hi,

I dont think you can configure a  Static NAT with the same public IP address for 2 different local  servers and have them work at the sametime.

You will probably end only one  of them working and the other one not. It might even be that the device  itself wont allow you to enter the second configuration.

You could probably configure  Static NAT for two different servers if you used the source address  where the connections are coming from as a parameter of the NAT but in  this case that wouldnt really make sense.

I am not really familiar with  the DNS side (except for the very basics) but wouldnt it be possible to  have different public IP addresses on the DNS servers for the same DNS  name? Or would this just create other problems that would need to resolved again?

For example doing a DNS Lookup for www.google.com produces 6 public IP addresses for me

- Jouni

Hi Jouni,

I don't want site01 and site02 servers to be working at the same time.

So the idea was to run some lines of config at the moment of switching :

- disabling the nat rule at site01 to that webserver

- configuring the nat rule at site01 for the remote webserver

But then still, if i manage to create a static nat from an external ip at site01 to an external ip at site02, and site02 maps that external ip to the inside host,  when the host responds, it will send traffic out directly to the client thus giving an answer on a different ip address than the request was send to.

Hi,

The problem with the setup your are attempting is simply the fact that you are trying to configure Static NAT that use the same public IP address and expect the ASA to be able to determine which should be used and when. I don't see an automatic way switch this configuration on the ASA itself.

There was a similiar discussion here not long ago. There I simply stated that if the ASA had the same support as the IOS Routers then you could probably create a combination of SLA and some script that changes the NAT configuration to point to the other site when the main sites server is unreachable. But as of now this is not possible on the ASA.

Naturally the setup between the sites requires some thought also. From your explanation I gather that you are actually testing Static NAT that forwards connections coming to the public IP address of the server on the Main Site to the public IP address on the Secondary Site. This would naturally result in a situation where the Secondary Site server forwards the traffic out the local Internet connection directly to the host/client on the Internet. To avoid that you would have to NAT the source address also on the Main Site so all return traffic from the Secondary Site would be forwarded back to the Main Site before getting forwarded back to the host/client that initiated the connection.

But as I said, I am not sure if the ASA really provides tools to accomplish what you are asking at the moment. Or I am just missing something which is also possible

Naturally it might be possible to create some script that logs into the ASA and changes the NAT configurations when this change is needed.

- Jouni

Hi Jouni,

The switching between primary and secondary site would be a manual action.

My main concern is the source nat configuration on the main site for the returning traffic.

Is that possible ?

So ; External IP on Site01 is natted to External IP on Site02 but is source natted also.

Hi,

To my understanding you would require the following configurations

• Static NAT that binds Main Site public IP to Secondary Site public IP
• Dynamic Policy PAT user source addresses when contacting the Main Site IP so return traffic flows from Secondary Site to Main Site

I can't guarantee these 100% but to my understanding these should be it

Static NAT for Main Site to Secondary Site

same-security-traffic permit intra-interface

static (outside,outside)

Dynamic Policy PAT for source translation

access-list WEB-SRV-POLICYPAT remark Dynamic Policy PAT for Web user traffic

access-list WEB-SRV-POLICYPAT permit tcp any host

access-list WEB-SRV-POLICYPAT permit tcp any host

nat (outside) 200 access-list WEB-SRV-POLICYPAT

global (outside) 200

As I said already, I would have to test this on some ASA running 8.2 to confirm that both the destination and source translation is applied. Provided that works then the traffic should flow from the user to the main site and to the secondary site and back to the user through the main site again.

- Jouni

Hi Jouni,

We're running 8.3.2 thanks

What i don't understand ;  what does the USER-PUBLIC represent ?

Hi,

That is a Dynamic PAT public IP address with which all the Web server users will show to the Secondary Site (for return traffic routing). You could perhaps replace it with "interface" parameter also.

Let me know if this works for you.

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though

- Jouni

Hi Jouni,

Awesome, got it working !

Thanks !