Solved: Re: Resilient NAT - Page 2

Sunset666_2 · ‎01-19-2012

Hi guys

I need to setup an ASA 5520 to correctly NAT over two wan links. The idea sounds pretty straingforward but it does not, I have only 2 IPs that are involved with the NAT

192.168.1.10(Nated Server) -- 172.16.1.10(Web Server)

I have 2 interfaces that sould be applied to it let's say outside1, outside2. The server is reacheable through each outside interface, the outside interfaces is selected uppon dynamic routing and that is working OK.

So if link outside1 is up the Nat follows this schema

192.168.1.10(inside) -- 172.16.1.10(outside1)

that works fine, but I want that automagically changes over when the link outside1 is down to

192.168.1.10(inside) -- 172.16.1.10(outside2).

I know I can't have a NAT with 2 IPs and 2 different interfaces (ASDM doesn't allow me to), is there a way to implement this??

Sunset666_2 · ‎01-20-2012

Andrew, I don't want to bother you with this but 2 things

1. I already had the config you suggest, I was posting the wrong static rules

2. It doesn't works dynamically, when I route to interface Outside1 it works, when I switch to Outside2 I must delete the Nat rule associated with interface Outside1 in order to get Outside2 working.

I know I should pay more attention to this details and avoid wasting your time. I'm really sorry about it. I'm back to drawing board, any suggestion??

andrew.prince · ‎01-21-2012

post your entire config ( remove passwords)

Sent from Cisco Technical Support iPad App

Sunset666_2 · ‎01-22-2012

ASA Version 8.2(1)

!

hostname ASA-Branch

!

interface GigabitEthernet0/0

nameif ISP1

security-level 20

ip address 10.0.1.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif ISP2

security-level 50

ip address 10.10.60.55 255.255.255.0

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

port-object eq 53400

port-object eq 53401

port-object eq 53501

port-object eq 53511

port-object eq 53521

port-object eq 53541

port-object eq 53551

port-object eq 53561

access-list Inside_access_in extended permit tcp any host 192.168.1.10 object-group Ports-Branch

pager lines 24

logging enable

logging asdm informational

mtu ISP1 1500

mtu Inside 1500

mtu ISP2 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

icmp permit any ISP2

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (ISP1) 10 interface

global (ISP2) 10 interface

nat (Inside) 10 0.0.0.0 0.0.0.0

static (ISP2,Inside) 192.1.2.50 172.17.254.10 netmask 255.255.255.255

static (ISP1,Inside) 192.1.2.50 172.17.254.10 netmask 255.255.255.255

access-group ISP1_access_in in interface ISP1

access-group Inside_access_in in interface Inside

access-group ISP2_access in interface ISP2

!

router eigrp 10

network 10.10.60.0 255.255.255.0

network 10.0.1.0 255.255.255.0

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

: end

I've removed some trivial info (I hope), pretty much this is how it is configured

andrew.prince · ‎01-23-2012

I see the issue now - it makes sense that you need to remove the static entry via ISP1 for it to work, NAT is an up > down process - so the ISP1 entry will be hit every time.....

The only way I can think of right now, is to NAT the traffic before it gets to the ASA, like put a router in front of the Branch ASA or NAT it closer to the source with a route map that defines the destination subnet.

HTH>

Sunset666_2 · ‎01-23-2012

hi Andrew

So I was right thinking of use a router with the ISPs links and a link to the ASA and configure the ASA with a single inside outside schema.

BTW thank you very much for your advices.

Sent from Cisco Technical Support iPhone App

andrew.prince · ‎01-23-2012

Hi,

In this instance right now - yes that is probably the best way to solve this requirement, if you have a spare router lying around doing nothing!!

sure - no problem, glad it was of some help.

Sunset666_2 · ‎01-23-2012

Honestly I don't have the spare router but this scenario leave me no choice but aquire one.

Thank you very much for your time

andrew.prince · ‎01-23-2012

OK - as I mentioned, another option could be to NAT the web server closer to the source, then advertise the NATT'd IP via EIGRP.