I am having a problem with address translation on a pair of Cisco ASA firewalls when they failover.
The current setup has 2 x Cisco ASA5520 firewalls configured in active/standby failover. I have address translation configured on the ASA using both the interface address (e.g. 18.104.22.168 for SMTP and WWW) as well as another range of IP's that is being routed to the firewalls (e.g. 22.214.171.124/24 for various ports). When the firewalls failover I can reach SMTP and WWW for the address 126.96.36.199 but the 2.2.2.x addresses aren't available. The upstream layer 3 switches are updating the arp tables for the 188.8.131.52 address but not for the 2.2.2.x range.
Has anyone experienced this problem? I was thinking of using an asr-group but this only appears to be relevant for active/active failover configuration?
Are the Internet links and outside interfaces of the FWs in one VLAN and the inside side of the ASAs is another VLAN (in case both sides of the FWs are connecting to the same switch). What is the OS version of the ASA?
The outside is connected to different switches using the same VLAN and HSRP as the upstream gasteway. The inside is connected to two different switches internally using one VLAN and no routing on the switches.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...