8.3 IOS - Two Outside Interfaces - Configure NAT

Unanswered Question

Hello,


I have two Internet circuits that I want to connect to the ASA. Prior to 8.2 I've been able to configure dynamic NAT for both interfaces and add two routes so that if one circuit went down outbound traffic would flow out of the second circuit. However with 8.3 I'm not sure how to do this.


Example Config


route outside 0.0.0.0 0.0.0.0 222.222.222.222 1 - This is ISP gateway 1 (outside)

route outside 0.0.0.0 0.0.0.0 111.111.111.111 2 - This is ISP gateway 2 (outside2)


object network ANY

subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface - This NATs outbound traffic to the interface "outside"


How would I be able to add a second NAT entry so that if the outside circuit fails outbound traffic will flow out outside2


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 06/18/2010 - 09:32
User Badges:
  • Cisco Employee,

Not too clear on the route statement as both routes are pointing to the outside interface.

Assuming that you have 2 interface, outside and outside2, configured "ip sla" with tracking to track the current outside interface and fail it to outside2 interface when outside interface is down, you can add the following dynamic nat for outside2 interface:


object network ANY2

     subnet 0.0.0.0 0.0.0.0

     nat (inside,outside2) dynamic interface


Hope that helps.

Hello,


I was able to get the solution working by putting in a route statement. I am however having another issue that I used to be able to support with the old IOS.


With the old IOS I could have two dynamic NAT statements, one for each interface, so that if one link failed, outbound traffic is sent out the second interface (and dynamically natted).


In the new IOS where you assign nat statements to network objects you can only have one NAT statement per object which in my mind means that we can't configure this the way we want to.


Is that accurate?


Thanks,

Actions

This Discussion