Solved: NAT on cisco ASA according to server availability

jakubholly · ‎11-13-2020

Hi, simple scenario. PC want to get to server.

ASA check by IP SLA availability route to Server A and to Server B. Is there any option how to translate NAT IP on ASA to local IP of server according availability? (Server A a Server B are on different private address)

example Server A is reachable

client goes to Public IP ->on ASA NAT to private IP to subnet Server A

example Server B is reachable

client goes to Public IP -> on ASA NAT to private IP to subnet Server B

any suggestion? thanks a lot

Georg Pauwen · ‎11-14-2020

Hello,

what interface is IP 213.71.143.136 configured on ?

The only object (and NAT you have) refers to:

object network Public
host 213.71.142.140

Either way, the EEM script (two actually) would look something like this:

event manager applet PRIMARY_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "object network server-BA-int"
action 4.0 cli command "no nat (inside,outside) static Public service tcp 9989 9989"
action 5.0 cli command "exit"
action 6.0 cli command "object network server-BB-int"
action 7.0 cli command "nat (inside,outside) static Public service tcp 9989 9989"
action 8.0 cli command "end"
!
event manager applet PRIMARY_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "object network server-BB-int"
action 4.0 cli command "no nat (inside,outside) static Public service tcp 9989 9989"
action 5.0 cli command "exit"
action 6.0 cli command "object network server-BA-int"
action 7.0 cli command "nat (inside,outside) static Public service tcp 9989 9989"
action 8.0 cli command "end"

View solution in original post

Georg Pauwen · ‎11-13-2020

Hello,

you could combine the IP SLA with an EEM script. The EEM script adds/removes the necessary NAT translation based on the state of the IP SLA.

Post the config of the ASA.

jakubholly · ‎11-14-2020

Hi Georg,

thanks for your reply. It should listen on public 213.71.143.136:9989 and translate it to private IP according to actually available 1 of 2 servers. SLA trak the end-address. Maybe EEM could help.

hostname ciscoasa
names
!

!
interface Ethernet0/0
nameif outside
security-level 100
ip address 10.152.222.17 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 0
ip address 10.152.222.11 255.255.255.240
!

object network server-BA-in
host 10.153.193.189
object network server-BB-in
host 10.152.193.189
object network Public
host 213.71.142.140

!
route inside 10.152.193.189 255.255.255.255 10.152.222.1 1 track 1
route inside 10.153.193.189 255.255.255.255 10.152.222.1 254
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

sla monitor 123
type echo protocol ipIcmpEcho 10.152.193.189 interface inside
num-packets 3
frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

!
!
object network server-BA-int
nat (inside,outside) static Public service tcp 9989 9989
object network server-BB-int
nat (inside,outside) static Public service tcp 9989 9989
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
!
!
ciscoasa(config)#

Georg Pauwen · ‎11-14-2020

Hello,

what interface is IP 213.71.143.136 configured on ?

The only object (and NAT you have) refers to:

object network Public
host 213.71.142.140

Either way, the EEM script (two actually) would look something like this:

event manager applet PRIMARY_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "object network server-BA-int"
action 4.0 cli command "no nat (inside,outside) static Public service tcp 9989 9989"
action 5.0 cli command "exit"
action 6.0 cli command "object network server-BB-int"
action 7.0 cli command "nat (inside,outside) static Public service tcp 9989 9989"
action 8.0 cli command "end"
!
event manager applet PRIMARY_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "object network server-BB-int"
action 4.0 cli command "no nat (inside,outside) static Public service tcp 9989 9989"
action 5.0 cli command "exit"
action 6.0 cli command "object network server-BA-int"
action 7.0 cli command "nat (inside,outside) static Public service tcp 9989 9989"
action 8.0 cli command "end"

jakubholly · ‎11-14-2020

There is no interface with this IP, but the communication (with DA 213.71.142.140) come from interface outside. ASA special, that you can translate IP without having it in some interface