ASA 5520 NAT static - One-to-one static with SLA Monitor

e.pedersen · ‎08-04-2010

Hi everyone, first of all, I'm sorry for my english!!!

I have a Cisco ASA with 03 interfaces:

- outside (172.1.1.0/24)

- primary (1.1.1.0/24)

- backup (2.2.2.0/24)

Also, I have one primary server with its backup server located in other site. Both servers have a real IP address and a virtual IP address:

- Primary Server: (real IP: 1.1.1.254) (virtual IP: 3.3.3.254)

- Backup Server: (real IP: 2.2.2.254) (virtual IP: 3.3.3.254)

The ASA has two routes for the "virtual IP address" of the servers, like this:

route primary 3.3.3.254 255.255.255.255 1.1.1.254 1 track 123

route backup 3.3.3.254 255.255.255.255 2.2.2.254 10 (note the weight of this second route)

The track 123 monitors the real ip address of the primary server (1.1.1.254), so when this server is down, the ASA automatically

changes the route to 3.3.3.254, using 2.2.2.254 as next-hop instead 1.1.1.254. This works fine.

But, we also need to hide the IP address 3.3.3.254 to the clients that access through the outside interface. So, we use a static NAT mapping the IP 172.1.1.5 with the IP 3.3.3.254.

static (primary,outside) 172.1.1.5 3.3.3.254

static (backup,outside) 172.1.1.5 3.3.3.254

The problem is that if I do this neither of the statics work (OF COURSE, conceptually this totally makes sense to me)

I have to choose only one of both "statics", the primary or the backup interface.What I actually need is that the ASA map the global IP to the local IP through the interface where the route is active to the virtual IP address at that moment, and all this has to be automatic.

We had recently migrated from one Cisco 1811 Router to this ASA, and with the router this works just fine (sure, no INTERFACE mapping is needed for the static).

Can somebody please help me with this!!!!!!

through the interface where it knows

Nagaraja Thanthry · ‎08-04-2010

Hello,

Does your ISP's (both) have a route to 172.1.1.0 pointing to your ASA's

interfaces? Can you try it on one interface alone i.e. primary interface and

see if that works?

Regards,

NT

August Ritchie · ‎08-04-2010

It appears that he has a single ISP but two local interfaces that one real server exists behind.

This server has two NICs behind two different interfaces on the ASA, both these NICs have IP addresses in 2 different networks, but share a third, vitrual IP address. He is trying to NAT this virtual IP address to one translated IP, but on two different internal interfaces.

As far as I can see this is not possible.

The reason being that the destination nat will disregard whatever route is in place. This can be seen if someone has a static NAT incorrectly configured. Like

static (inside,outside) 10.1.1.1 192.168.1.1

and even though the routing table may say 192.168.1.1 is actually on the DMZ, the packet is going to be pushed out the inside and you will get an error in the logs that says "no route to host".

Hopefully this will show where the flaw in the config is...

e.pedersen · ‎08-05-2010

Hi,

There are two servers, no only one and each server is located at different places and connected to differents interfaces of the ASA.

We dont have any problem with the routes. Only the problem with this static.

As far I know too, is it not possible to do what I need with the ASA, but, I actually use version 8.0.(4) in the ASA, and I was looking if a workaround exist, considering the new 8.3 version of the ASA and all the NAT new features this version has.

I really need to solve this. Also I think is not a bad idea to have a feature that can help with this kind of things.

Nagaraja Thanthry · ‎08-05-2010

Hello,

Let us try the following:

access-list server1 permit ip 3.3.3.254 any

static (Primary,outside) 172.1.1.5 access-list Server1

access-list server2 permit ip 3.3.3.254 any

static (Backup,outside) 172.1.1.5 access-list Server2

Hope this helps.

Regards,

NT

e.pedersen · ‎08-05-2010

Hi Nagaraja,

I would like to try your advice, but, like I said, actually we' re using 8.0.(4) version, and if needed we will update to 8.3.x

This ASA is in production, so I cannot upgrade this asa only to try this, and sadly I dont have any ASA free just to try this.

If somebody can help me trying this with 8.3.x in a lab enviroment would be great.

Regards!

e.pedersen · ‎08-06-2010

anybody can help me trying this in a lab enviroment with asa 8.3.x?

access-list server1 permit ip 3.3.3.254 any

static (Primary,outside) 172.1.1.5 access-list Server1

access-list server2 permit ip 3.3.3.254 any

static (Backup,outside) 172.1.1.5 access-list Server2

Nagaraja Thanthry · ‎08-07-2010

Hello,

If you are using 8.3, the syntax will be different:

object network Server

host 3.3.3.254

object network Server_pub

host 172.1.1.5

nat (any,any) source static Server Server_pub

I have tested this on one of our spare firewalls with 8.3 and it does work. So, you should be able to configure it on your firewall.

Hope this helps.

Regards,

NT

e.pedersen · ‎08-09-2010

Hi Nagaraja,

I will try this... I will let you know if it works or not as soon I can.

Thanks