×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Dynamic NAT rules for backup ISP circuit

Unanswered Question
Feb 28th, 2014
User Badges:

Hi


I need to configure a backup circuit using IP SLA, routes with metrics, static nat rules for VPNS and so on, and that all makes perfect sense.


I am however stuck on how I setup the dynamic NAT rules so that traffic from internal to Internet is natted to the backup ISP public IP addresses in the event of primary circuit outage.


The dynamic NAT rules are as follows:


object network XXX-CORP

nat (CORP_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx


object network XXX-WIFI

nat (WIFI_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx


object network XXX-PROD

nat (PROD_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx


object network XXX-DMZ

nat (DMZ_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx


object network XXX-OPS

nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx


I am guessing there is a way to add something like:


object network XXX-OPS

nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

nat (OPS_RANGE,SECONDARY_ISP) dynamic 19x.1xx.3x.1xx secondary




Thanks in advance, and of course I will provide more info if required.


Dentist

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Sun, 03/02/2014 - 09:05
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You essentially just add a new Dynamic PAT rule for each of the required local network towards the second ISP


The Routing and SLA configurations handle which interface and which Dynamic PAT is used.


Notice that you can not configure 2 "nat" configurations under a single "object". You will simply need to make 2 Dynamic PAT configurations for each of your internal networks.


You can naturally configure a single Dynamic PAT rule per ISP per ALL internal networks with the below configuration format


object-group network ISP1-PAT-SOURCE

network-object

network-object

network-object


nat (any,isp1) after-auto source dynamic ISP1-PAT-SOURCE interface



object-group network ISP2-PAT-SOURCE

network-object

network-object

network-object


nat (any,isp2) after-auto source dynamic ISP2-PAT-SOURCE interface


So looking at the above configuraitons you could simply configure all the internal networks under an "object-group" and then use that "object-group" in a "nat" configurations to do Dynamic PAT for all your internal networks towards one ISP. You could create the same type of configurations for the other ISP also.


And as I said before you can also simply configure Dynamic PAT with Auto NAT / Network Object NAT for each of the internal networks separately


For example


object network WIFI-ISP2-PAT

subnet

nat (WIFI_RANGE,SECONDARY_ISP) dynamic interface (or IP)


Hope this helps


Let me know how it goes.


- Jouni

Paul Monteith Mon, 03/03/2014 - 09:02
User Badges:

Hi Jouni


Thanks for your answer, I had come to a similar conclusion with the after-auto after reading another of your threads but as yet I have not tested it.  I will do in the next few days and will then update you.


Regards,


Paul

Paul Monteith Tue, 12/09/2014 - 23:15
User Badges:

A few days turned into 9 months but got there in the end.  

WAN failover (when using multiple NAT rules and VPN Tunnels) only works properly on ASA5512x and higher when using version 9.2(1) that supports event manager.  configure a tracked route, SLA and Event manager actions that remove and add config when triggered.

Thanks

Dentist55

 

 

Actions

This Discussion