10-21-2009 06:04 AM - edited 02-21-2020 03:44 AM
We have 2 CAS should be configured with HA are located in the WAN Zone of the FWSM. there is a static NAT means
static (inside,WAN) 10.0.0.1 10.0.0.1 netmask 255.255.255.255
where 10.0.0.1 is the ip of CAM and the cas has 20.0.0.1.
I have read that if the CAS and CAM sare across the firewall then CAM will not add CAS as HA unit. The above natting is above.
Solved! Go to Solution.
10-21-2009 06:27 AM
10-21-2009 07:26 AM
If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.
[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)
In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.
HTH,
Faisal
10-21-2009 06:27 AM
Talha,
That is correct. HA with NAT'd CASs isn't supported.
HTH,
Faisal
10-21-2009 07:23 AM
Thanks Faisal,
So should i conclude that in my scenario it is not possible for me to configure CAS in HA.
10-21-2009 07:26 AM
If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.
[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)
In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.
HTH,
Faisal
10-21-2009 07:30 AM
Dear Faisal,
The natting is a must as both the interfaces are of different security levels with inside and WAN as 100 and 70 respectively.
But why i am asking is because the nat command is not changing the ip address in my case as the translated ip is the same as the original ip.
static (inside,WAN) 10.0.0.1 10.0.0.1
but i have read the Doc as it talks about translated and original ip in general and there is no general details.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide