Solved: Static NAT for two internet connect

ratha chum · ‎09-17-2019

Hi!

(Please prefer diagram bellow)

I have two internet connection from different ISP to connect to internet. fail over internet connection have been configure is SLA monitor. Link via ISP1 is primary and ISP2 is standby, if Link ISP1 down the default route will route to ISP2. dynamic nat have been configure for internet access. But if HOST-A need to access to HOST-B I need to nat to other IP address 1.1.1.4 when link ISP1 working properly and if Link ISP1 down and HOST-A need to access to HOST-B, we need nat to 2.2.2.4.

Bellow are my NAT configuration.

object network host_10
host 192.168.1.10
object network remote_10
host 192.168.2.10
object network isp1-4
host 1.1.1.4
object network isp2-4
host 2.2.2.4

nat (inside,isp1) source static host_10 isp1-4 destination static remote_10 remote_10
nat (inside,isp2) source static host_10 isp2-4 destination static remote_10 remote_10

While ISP1 link work, HOST-A can connect to HOST-B. when link ISP1 down, HOST-A can't connect to HOST-B because NAT rule matching the first rule of which pointing to ISP1 and translate to IP of ISP1.

in the case above we want HOST-A translate to IP 1.1.14 when connecting HOST-B via ISP1 and translate to 2.2.2.4 when HOST-A connect to HOST-B via link of ISP2.

~~NAT with route-lookup doesn't work.~~

Thanks for any respond!

Georg Pauwen · ‎09-19-2019

Hello,

I have adapted the config. The problem with the same syslog ID (622001) that is used for both the add and remove of the tracked route should be solved by adding the 'occur' keyword. The first script would be triggered at the first occurence (which is equivalent to the primary route failure and subsequent removal), the second one on the second occurence (which is equivalent to the primary route being added back). The log is cleared after the second script is removed, so there should always be only 1 or 2 occurences of the syslog ID in the buffer:

track 1 rtr 1 reachability
!
route ISP1OUT 0.0.0.0 0.0.0.0 x.x.x.x track 1
route ISP2OUT 0.0.0.0 0.0.0.0 y.y.y.y 20
!
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1OUT
timeout 1000
frequency 3
!
sla monitor schedule 1 life forever start-time now
!
event manager applet TRACK_ISP1_DOWN
event syslog id 622001 occurs 1
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 4 cli command "nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
!
event manager applet TRACK_ISP1_UP
event syslog id 622001 occurs 2
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 3 cli command "nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
action 7 cli command "clear logging buffer"

View solution in original post

paul driver · ‎09-17-2019

Hello

What ASA are you using for this?

Possible example:

int gig0/1
nameif ISP1OUT
ip address 1.1.1.1 255.255.255.0

int gig0/2
nameif ISP2OUT
ip address 2.2.2.1 255.255.25.0

int gig0/0
nameif inside
ip address 192.168.1.1 255.255.255.0

access-list ISP1_IN permit ip any host 1.1.1.1
access-list ISP2_IN permit ip any host 2.2.2.1

access-group ISP1_IN in interface ISP1OUT
access-group ISP2_IN in interface ISP2OUT

nat control
static (inside,ISP1OUT) 1.1.1.1 192.168.1.10 netmask 255.255.255.255
static (inside,ISP2OUT) 2.2.2.1 192.168.1.10 netmask 255.255.255.255

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ratha chum · ‎09-17-2019

Thank for your respond, but may you not understand what I want.
What I want are :
Host-A(192.168.1.10) connect to Host-B(192.168.2.10) via ISP1, the firewall need to translate 192.168.1.10 --> 1.1.1.4.
Then internet ISP1 down.
Host-A connect to Host-B via ISP2, the firewall need to translate 192.168.1.10 --> 2.2.2.5.

paul driver · ‎09-18-2019

Hello

@ratha chum wrote:
Thank for your respond, but may you not understand what I want.
What I want are :
Host-A(192.168.1.10) connect to Host-B(192.168.2.10) via ISP1, the firewall need to translate 192.168.1.10 --> 1.1.1.4.
Then internet ISP1 down.
Host-A connect to Host-B via ISP2, the firewall need to translate 192.168.1.10 --> 2.2.2.5.

access-list ISP1_IN permit ip any host 1.1.1.4
access-list ISP2_IN permit ip any host 2.2.2.5

access-group ISP1_IN in interface ISP1OUT
access-group ISP2_IN in interface ISP2OUT

nat control
static (inside,ISP1OUT) 1.1.1.4 192.168.1.10 netmask 255.255.255.255
static (inside,ISP2OUT) 2.2.2.5 192.168.1.10 netmask 255.255.255.25

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ratha chum · ‎09-18-2019

nat control
static (inside,ISP1OUT) 1.1.1.4 192.168.1.10 netmask 255.255.255.255
static (inside,ISP2OUT) 2.2.2.5 192.168.1.10 netmask 255.255.255.25

This command doesn't recognize by ASA version 9.7

Georg Pauwen · ‎09-18-2019

Hello,

the command has been deprecated. What are you trying to configure ?

ratha chum · ‎09-18-2019

Cisco ASA 9.7

Georg Pauwen · ‎09-18-2019

Hello,

you could use an EEM script such as the one below, which basically removes the static entry to ISP1 when ISP1 is down, and adds the entry for ISP. The second EEM script reverses the process....

event manager applet TRACK_NAT
event track 1 state down
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,isp1) source static host_10 isp1-4 destination static remote_10 remote_10
action 4 cli command "nat (inside,isp2) source static host_10 isp2-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"

!

event manager applet TRACK_NAT
event track 1 state up
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,isp2) source static host_10 isp2-4 destination static remote_10 remote_10
action 3 cli command "nat (inside,isp1) source static host_10 isp1-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"

ratha chum · ‎09-18-2019

firewall(config-applet)# event ?

event manager applet mode commands/options:
crashinfo Configure a crashinfo event trigger
memory-logging-wrap Configure an memory logging wrap event trigger
none Configure a manual event trigger
syslog Configure a syslog event trigger
timer Configure a timer event trigger

configure mode commands/options:
manager Configure event manager

exec mode commands/options:
manager Show configured event manager services
firewall(config-applet)# event tim

On ASA 9.7 look like doesn't support event track. above is the output.

Georg Pauwen · ‎09-18-2019

Hello,

use:

event syslog pattern

followed by the syslog message that is generated when the primary connection (to ISP1) goes down...

ratha chum · ‎09-18-2019

ASA support only event syslog id. it doesn't support event syslog pattern. other problem is syslog id or adding track route and remove track route is the same id (622001).

Georg Pauwen · ‎09-19-2019

Hello,

I have adapted the config. The problem with the same syslog ID (622001) that is used for both the add and remove of the tracked route should be solved by adding the 'occur' keyword. The first script would be triggered at the first occurence (which is equivalent to the primary route failure and subsequent removal), the second one on the second occurence (which is equivalent to the primary route being added back). The log is cleared after the second script is removed, so there should always be only 1 or 2 occurences of the syslog ID in the buffer:

track 1 rtr 1 reachability
!
route ISP1OUT 0.0.0.0 0.0.0.0 x.x.x.x track 1
route ISP2OUT 0.0.0.0 0.0.0.0 y.y.y.y 20
!
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1OUT
timeout 1000
frequency 3
!
sla monitor schedule 1 life forever start-time now
!
event manager applet TRACK_ISP1_DOWN
event syslog id 622001 occurs 1
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 4 cli command "nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
!
event manager applet TRACK_ISP1_UP
event syslog id 622001 occurs 2
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "no nat (inside,ISP2OUT) source static host_10 isp2-4 destination static remote_10 remote_10
action 3 cli command "nat (inside,ISP1OUT) source static host_10 isp1-4 destination static remote_10 remote_10
action 5 cli command "end"
action 6 cli command "clear xlate type static"
action 7 cli command "clear logging buffer"

ratha chum · ‎09-19-2019

Great, it is working!

Thanks so much!