cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
0
Helpful
2
Replies

Issue with remote connectivity over Leased Line and IPSec VPN (NAT/IP SLA issue?)

tickermcse76
Level 1
Level 1

Environment

ASA Outside interface will be used to establish IPSec VPN tunnel from remote User_A.

ASA INT_A interface will be used to connect a leased line circuit from remote User_A.

ASA INT_B interface is a private LAN segment that hosts a single web server to be accessed by User_A.

 

User_A always has the same source IP - 3.3.3.3 - whether sending traffic over leased line or VPN.

User_A connects to destination IP - 2.2.2.2 - public IP of the web server, over both paths.

User A chooses which path to send 2.2.2.2 depending on availability.

The web server private IP is 10.10.10.1.

 

On the ASA, IP SLA tracking is configured to prefer the leased line when available.  A couple of object NAT's are created for each interface.

 

object network OBJ-WEBSRV_PRIV
 host 10.10.10.1

object network OBJ-WEBSRV_PUB
 host 2.2.2.2

 

object network OBJ-WEB_SRV_PRIV
 nat (INT_B,outside) static OBJ-WEBSRV_PUB

 

object network OBJ-WEB_SRV_PRIV
 nat (INT_B,INT_A) static OBJ-WEBSRV_PUB

 

Are there any issues with the above configuration design?  Is there any reason to use twice NAT instead?  Assume the correct ACL's are in place.  We have been successful in establishing connectivity over VPN only (with no leased line configuration in place), and likewise over leased line only (with no VPN tunnel configuration in place).  The issue arises when we try to combine both with the IP SLA and multiple object NAT's.

 

Please advise; thanks.

 

2 Replies 2

chris phillips
Level 1
Level 1

I think its a routing issue, how does the ASA know which interface to reply back to User_A?

the ASA can choose to reply back via ASA INT_A or ASA INT_B.

 

I'm guessing you want it to reply back on the same interface it received the connection on, but if it has a choice it will either respond on the interface with the default route on or the interface with a specific route on. If the VPN is up it'll likely want to reply over that as the source IP will be associated with that as part of the vpn config.

 

can you elaborate more on what the IP SLA config is.


-If I helped you somehow, please, rate it as useful.-

We don't have any explicit routes defined for traffic returned back over VPN tunnel through the outside interface.

 

For the leased line traffic, we have an IP SLA monitor with ICMP check to a remote IP reachable over INT_A.  The route back to the client source IP is made through INT_A with tracking tied to the monitor.

 

For example - route INT_A 3.3.3.3 255.255.255.255 {User_A router interface} 1 track 123.  When the SLA monitor for 123 is down, this route should not be active.  Assuming the leased line is down, User_A will then send their traffic over IPSec VPN tunnel.

Review Cisco Networking for a $25 gift card