09-17-2019 07:53 AM
Hi!
(Please prefer diagram bellow)
I have two internet connection from different ISP to connect to internet. fail over internet connection have been configure is SLA monitor. Link via ISP1 is primary and ISP2 is standby, if Link ISP1 down the default route will route to ISP2. dynamic nat have been configure for internet access. But if HOST-A need to access to HOST-B I need to nat to other IP address 1.1.1.4 when link ISP1 working properly and if Link ISP1 down and HOST-A need to access to HOST-B, we need nat to 2.2.2.4.
Bellow are my NAT configuration.
object network host_10
host 192.168.1.10
object network remote_10
host 192.168.2.10
object network isp1-4
host 1.1.1.4
object network isp2-4
host 2.2.2.4
nat (inside,isp1) source static host_10 isp1-4 destination static remote_10 remote_10
nat (inside,isp2) source static host_10 isp2-4 destination static remote_10 remote_10
While ISP1 link work, HOST-A can connect to HOST-B. when link ISP1 down, HOST-A can't connect to HOST-B because NAT rule matching the first rule of which pointing to ISP1 and translate to IP of ISP1.
in the case above we want HOST-A translate to IP 1.1.14 when connecting HOST-B via ISP1 and translate to 2.2.2.4 when HOST-A connect to HOST-B via link of ISP2.
NAT with route-lookup doesn't work.
Thanks for any respond!
Solved! Go to Solution.
09-19-2019 01:37 AM
Hello,
I have adapted the config. The problem with the same syslog ID (622001) that is used for both the add and remove of the tracked route should be solved by adding the 'occur' keyword. The first script would be triggered at the first occurence (which is equivalent to the primary route failure and subsequent removal), the second one on the second occurence (which is equivalent to the primary route being added back). The log is cleared after the second script is removed, so there should always be only 1 or 2 occurences of the syslog ID in the buffer:
track 1 rtr 1 reachability
!
route ISP1OUT 0.0.0.0 0.0.0.0 x.x.x.x track 1
route ISP2OUT 0.0.0.0 0.0.0.0 y.y.y.y 20
!
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1OUT
timeout 1000
frequency 3
!
sla monitor schedule 1 life forever start-time now
!
event manager applet TRACK_ISP1_DOWN
event syslog id 622001 occurs 1
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 4 cli command "nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
!
event manager applet TRACK_ISP1_UP
event syslog id 622001 occurs 2
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 3 cli command "nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
action 7 cli command "clear logging buffer"
09-17-2019 08:26 AM
Hello
What ASA are you using for this?
Possible example:
int gig0/1
nameif ISP1OUT
ip address 1.1.1.1 255.255.255.0
int gig0/2
nameif ISP2OUT
ip address 2.2.2.1 255.255.25.0
int gig0/0
nameif inside
ip address 192.168.1.1 255.255.255.0
access-list ISP1_IN permit ip any host 1.1.1.1
access-list ISP2_IN permit ip any host 2.2.2.1
access-group ISP1_IN in interface ISP1OUT
access-group ISP2_IN in interface ISP2OUT
nat control
static (inside,ISP1OUT) 1.1.1.1 192.168.1.10 netmask 255.255.255.255
static (inside,ISP2OUT) 2.2.2.1 192.168.1.10 netmask 255.255.255.255
09-17-2019 07:02 PM
09-18-2019 01:15 AM
Hello
@ratha chum wrote:
Thank for your respond, but may you not understand what I want.
What I want are :
Host-A(192.168.1.10) connect to Host-B(192.168.2.10) via ISP1, the firewall need to translate 192.168.1.10 --> 1.1.1.4.
Then internet ISP1 down.
Host-A connect to Host-B via ISP2, the firewall need to translate 192.168.1.10 --> 2.2.2.5.
access-list ISP1_IN permit ip any host 1.1.1.4
access-list ISP2_IN permit ip any host 2.2.2.5
access-group ISP1_IN in interface ISP1OUT
access-group ISP2_IN in interface ISP2OUT
nat control
static (inside,ISP1OUT) 1.1.1.4 192.168.1.10 netmask 255.255.255.255
static (inside,ISP2OUT) 2.2.2.5 192.168.1.10 netmask 255.255.255.25
09-18-2019 07:26 AM
09-18-2019 07:31 AM
Hello,
the command has been deprecated. What are you trying to configure ?
09-18-2019 04:50 PM
09-18-2019 06:01 AM
Hello,
you could use an EEM script such as the one below, which basically removes the static entry to ISP1 when ISP1 is down, and adds the entry for ISP. The second EEM script reverses the process....
event manager applet TRACK_NAT
event track 1 state down
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,isp1) source static host_10 isp1-4 destination static remote_10 remote_10
action 4 cli command "nat (inside,isp2) source static host_10 isp2-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
!
event manager applet TRACK_NAT
event track 1 state up
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,isp2) source static host_10 isp2-4 destination static remote_10 remote_10
action 3 cli command "nat (inside,isp1) source static host_10 isp1-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
09-18-2019 08:16 AM
09-18-2019 08:24 AM
Hello,
use:
event syslog pattern
followed by the syslog message that is generated when the primary connection (to ISP1) goes down...
09-18-2019 07:28 PM
09-19-2019 01:37 AM
Hello,
I have adapted the config. The problem with the same syslog ID (622001) that is used for both the add and remove of the tracked route should be solved by adding the 'occur' keyword. The first script would be triggered at the first occurence (which is equivalent to the primary route failure and subsequent removal), the second one on the second occurence (which is equivalent to the primary route being added back). The log is cleared after the second script is removed, so there should always be only 1 or 2 occurences of the syslog ID in the buffer:
track 1 rtr 1 reachability
!
route ISP1OUT 0.0.0.0 0.0.0.0 x.x.x.x track 1
route ISP2OUT 0.0.0.0 0.0.0.0 y.y.y.y 20
!
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1OUT
timeout 1000
frequency 3
!
sla monitor schedule 1 life forever start-time now
!
event manager applet TRACK_ISP1_DOWN
event syslog id 622001 occurs 1
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 4 cli command "nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
!
event manager applet TRACK_ISP1_UP
event syslog id 622001 occurs 2
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 3 cli command "nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
action 7 cli command "clear logging buffer"
09-19-2019 02:40 AM - edited 09-19-2019 02:50 AM
Great, it is working!
Thanks so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide