11-08-2017 07:09 AM - edited 02-21-2020 06:40 AM
Environment
ASA Outside interface will be used to establish IPSec VPN tunnel from remote User_A.
ASA INT_A interface will be used to connect a leased line circuit from remote User_A.
ASA INT_B interface is a private LAN segment that hosts a single web server to be accessed by User_A.
User_A always has the same source IP - 3.3.3.3 - whether sending traffic over leased line or VPN.
User_A connects to destination IP - 2.2.2.2 - public IP of the web server, over both paths.
User A chooses which path to send 2.2.2.2 depending on availability.
The web server private IP is 10.10.10.1.
On the ASA, IP SLA tracking is configured to prefer the leased line when available. A couple of object NAT's are created for each interface.
object network OBJ-WEBSRV_PRIV
host 10.10.10.1
object network OBJ-WEBSRV_PUB
host 2.2.2.2
object network OBJ-WEB_SRV_PRIV
nat (INT_B,outside) static OBJ-WEBSRV_PUB
object network OBJ-WEB_SRV_PRIV
nat (INT_B,INT_A) static OBJ-WEBSRV_PUB
Are there any issues with the above configuration design? Is there any reason to use twice NAT instead? Assume the correct ACL's are in place. We have been successful in establishing connectivity over VPN only (with no leased line configuration in place), and likewise over leased line only (with no VPN tunnel configuration in place). The issue arises when we try to combine both with the IP SLA and multiple object NAT's.
Please advise; thanks.
11-08-2017 08:16 AM
I think its a routing issue, how does the ASA know which interface to reply back to User_A?
the ASA can choose to reply back via ASA INT_A or ASA INT_B.
I'm guessing you want it to reply back on the same interface it received the connection on, but if it has a choice it will either respond on the interface with the default route on or the interface with a specific route on. If the VPN is up it'll likely want to reply over that as the source IP will be associated with that as part of the vpn config.
can you elaborate more on what the IP SLA config is.
11-08-2017 09:16 AM
We don't have any explicit routes defined for traffic returned back over VPN tunnel through the outside interface.
For the leased line traffic, we have an IP SLA monitor with ICMP check to a remote IP reachable over INT_A. The route back to the client source IP is made through INT_A with tracking tied to the monitor.
For example - route INT_A 3.3.3.3 255.255.255.255 {User_A router interface} 1 track 123. When the SLA monitor for 123 is down, this route should not be active. Assuming the leased line is down, User_A will then send their traffic over IPSec VPN tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide