8.3 IOS - Two Outside Interfaces - Configure NAT

Unanswered Question
Jun 18th, 2010
User Badges:


I have two Internet circuits that I want to connect to the ASA. Prior to 8.2 I've been able to configure dynamic NAT for both interfaces and add two routes so that if one circuit went down outbound traffic would flow out of the second circuit. However with 8.3 I'm not sure how to do this.

Example Config

route outside 1 - This is ISP gateway 1 (outside)

route outside 2 - This is ISP gateway 2 (outside2)

object network ANY

nat (inside,outside) dynamic interface - This NATs outbound traffic to the interface "outside"

How would I be able to add a second NAT entry so that if the outside circuit fails outbound traffic will flow out outside2


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 06/18/2010 - 09:32
User Badges:
  • Cisco Employee,

Not too clear on the route statement as both routes are pointing to the outside interface.

Assuming that you have 2 interface, outside and outside2, configured "ip sla" with tracking to track the current outside interface and fail it to outside2 interface when outside interface is down, you can add the following dynamic nat for outside2 interface:

object network ANY2


     nat (inside,outside2) dynamic interface

Hope that helps.

yubago@ctgmt.com Fri, 06/18/2010 - 09:36
User Badges:

Thanks for the response. Yes I did mean to have outside2 on the second route. Your recommendation makes sense I don't know why but I had it stuck in my head that I needed to have a single "ANY" network object.

I will try it out today and will write back to provide the results.

yubago@ctgmt.com Fri, 07/02/2010 - 10:45
User Badges:


I was able to get the solution working by putting in a route statement. I am however having another issue that I used to be able to support with the old IOS.

With the old IOS I could have two dynamic NAT statements, one for each interface, so that if one link failed, outbound traffic is sent out the second interface (and dynamically natted).

In the new IOS where you assign nat statements to network objects you can only have one NAT statement per object which in my mind means that we can't configure this the way we want to.

Is that accurate?



This Discussion