I am trying to figure out the proper configuration for ISP failover on my ASA 5510, here is my senario:
Currently our primary ISP link is being provided by a consotium for schools so we have no public ip address on the outside interface of the ASA. The firewall is acting as a router, with no nat function on that link. We wanted to create a failover link to our cable provider which will give us a public ip on the second outside interface of the firewall, and I have it natted to the inside interface. When i set up SLA and the first routed link fails, it fails over to the natted link perfectly and i can see the nat translations. When SLA fails over again to the primary link the nat translations are not removed and internet access breaks until i remove the nat statements and clear xlate. If anybody has insight on this, or a possible workaround, your input will be greatly appreciated as my head hurts from banging it into a wall.
you could also try to create an identity NAT instead of NONAT if you are running the older codes 8.2 and below... the difference is that one NATs the IP to itself and the latter bypasses the NAT process completely...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...