Try this:
I have found a workaround. It should be noted that Static NAT for multiple web servers works fine on the single instance ASAv in Azure using the following guide to add the additional IP configurations for the IPs of each of the internal web servers using the method in this video below. Create your static NAT rules as normal and then create the additional IP configurations against the management/outside interface in Azure to correspond to the ASAv addresses with a public IP attached.
https://www.youtube.com/watch?v=FUZMTBZrA74
In an HA configuration it does not appear to be possible to create load balanced rules with health probes on the Azure Load Balancer against secondary IP configurations on the management/outside interface, even if you create an additional backend pool on the load balancer for the secondary IP configurations. This is stated in the Cisco documentation here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start/asav-quick/asav-azure.html
- ASAv HA (single context mode)
Note: If your deployment uses an Azure Load Balancer, health probes are not supported on secondary IP addresses assigned on ASAv NICs.
As a workaround I first decided to add new Frontend IP addresses on the Azure Load Balancer for each of my web servers. I then created NAT rules on each of the ASAvs in the HA pair to translate the web port on each web server to a different port which could be presented on the outside/management interface of the ASAv using the following commands:
Create the NAT rule for each web server:
object network internal-web-server
host internal_IP_of_web_server
nat (inside,management) static interface service tcp www 6480
Then allow traffic into the web port of your web server on the inbound access list which is bound to the management/outside interface:
access-list management-inbound extended permit tcp any object internal-web-server eq www
Next modify the ASAv NSG (Network Security Group) in Azure to allow tcp traffic through to the ASAvs on port 6480.
Finally create a load balanced rule on one of the newly created Frontend IP addresses in the Azure Load Balancer which points to the backend pool of the two ASAvs, which translates anything that comes in to the load balancer front end IP for this server from port 80 to port 6480. The traffic flow is as follows:
===> Port 80 on LB Frontend IP ===> Port 6480 on LB Backend ASAvs ===> Port 80 on Web Server
Because this configuration allows you to use health probes on the management interfaces of the 2 ASAvs, the rule will failover to the backup ASAv in the event of the primary ASAv failing. You can create different NAT rules and load balancer rules for each website that you have behind the HA pair of ASAvs. Use a different translated port on the ASAvs and load balancer rules for each web server you have behind the firewall. Config wise this is also simpler than static NAT rules as the configuration is the same on each ASAv for each web server.
