Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
25
Helpful
8
Replies

NAT issue with IPSEC Failover

Go to solution
NETAD
Level 4
Level 4

‎12-27-2017 07:36 AM - edited ‎02-21-2020 07:02 AM

Hello, how can I get the static nat statements to dynamically shift when an IPsec tunnel is down and let the ASA not use it?  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to NETAD

‎12-27-2017 11:28 PM

try adding the route-lookup keyword to the end of your NAT statements.  This will force the NAT statements to follow the routing table and not override the routing table.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-27-2017 08:27 AM

They won't dynamically shift.

 

Generally speaking static NAT statements would implement NAT exemption for VPN tunnels. If the tunnel is down (either its primary peer address or a backup) then you should not be able to reach the remote networks. So the fact that the original NAT statement is still applied is moot.

 

If you're using it differently, please explain and perhaps we can offer a more precise explanation.

Go to solution
NETAD
Level 4
Level 4
In response to Marvin Rhoads

‎12-27-2017 08:37 AM

so here's the nat statements. The ASA is directly connected to the mpls and internet circuit. When the mpls circuit goes down(tracked by IP SLA and Tracking), the ASA uses its default route to create an ipsec tunnel over the internet circuit but the first nat statement keep getting hit and so the tunnel won't get established. 

 

nat (Inside,Mpls) source static LOCAL LOCAL destination static REMOTE REMOTE
nat (Inside,Outside) source static LOCAL LOCAL destination static REMOTE REMOTE

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to NETAD

‎12-27-2017 09:10 PM

The way you have it should work if your routing and the tracking is all correctly in place.

 

Have you confirmed that the path to the remote subnets is using the default route? If it is, and when that default flips to the alternate path, routing in the ASA should tell it to use the alternate egress interface and thus the alternate NAT statement would be in effect. 

 

I’ve setup several using that logic and they work just fine. 

Go to solution
NETAD
Level 4
Level 4
In response to Marvin Rhoads

‎12-27-2017 10:27 PM

Yes routing is getting updated once the tracking is down but for some reason not the NAT. Isn’t NAT processed first before routing on a ASA? On a side note, I am doing thing on ASAv before applying the config to my client’s ASA. Would it behave differently on a virtual appliance?  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to NETAD

‎12-27-2017 10:38 PM

While NAT is, in general, processed before routing there is a partial routing step to lookup the destination interface when checking the NAT rule. 

 

This is should be the same on ASAv as on a physical appliance. 

Go to solution
Marius Gunnerud
VIP
VIP
In response to NETAD

‎12-27-2017 11:28 PM

try adding the route-lookup keyword to the end of your NAT statements.  This will force the NAT statements to follow the routing table and not override the routing table.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marius Gunnerud

‎12-28-2017 12:00 AM

That's a good suggestion Marius. I agree.

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Marius Gunnerud

‎12-28-2017 06:35 AM

Worked like magic!! Thanks Marius.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card