Showing results for 
Search instead for 
Did you mean: 

Source and Destination NAT with ISR2 for ASA Backup Internet Feed

Level 1
Level 1

Hi guys,

I am trying to setup a backup internet connection to an ASA for Remote VPN in emergency cases where the primary internet conncetion is unavailable. The two internet connections should wouk side-by-side for Remote VPN login. The problem is always the return path, as I need the backup internet feed to be working even if the default route to the primary connection is installed. I tried different things, like route-map with sepcifig next-hop pointing back to a router of the backup connection, however, I had to accept the fact that PBR does just not work.

The easiest for me to solve that problem was to connect a small Linux box between backup connection and ASA. There is an interface with the (backup) internet connection, and a point-to-point /30 for connecting the Linux box with the ASA. Then with the two NAT Rules:

iptables -t nat -A PREROUTING -i <backupInet> -p tcp --dport 10000 -j DNAT --to-destination <ASA P2P IP>:10000
iptables -t nat -A POSTROUTING -d <ASA P2P IP> -o <Int-to-ASA> -p tcp --dport 10000 -j MASQUERADE

...i can manage that the ASA received the packets as if they were originated from the IP of the Linux box (out of that /30), so it does not need another default route for the return path. The prerouting rule rewrites the destination address (before routing decision), then routed to the proper Interface heading to the ASA, and after routing the source address of the packet is replaced by the IP of that outgoing interface (out of that p2p /30) with connection tracking so that the Linux box knows the return path to the originating client.

Now the ugly part on this is just the Linux box. We are terminating the backup connection on a Cisco 1921, is it somehow possible to do those two "simple" iptables routes in IOS? I setup the overloading NAT heading ASA, however, I was never able to solve the "prerouting" thing, rewriting the destination address if the destination in the received packet is the IP of the coresponding interface before the routing decision. I tied that with pbr and different NAT rules, but that didn't work. I managed to rewrite both destination and source address after each other, but just without overloading, in which case the return path doesn't work.

Is there a possibility to do that on some ISR2 Router? Or is it possible to solve the problem differently, like straight on the ASA for example?

Thanks for any inputs!


0 Replies 0
Review Cisco Networking for a $25 gift card