cisco asa static nat and two outside interface

Peter Handke · ‎10-29-2011

Hello

I have problem with static nat on asa. I got 2 subnet from my isp, there are not

continuous. First subnet is on eth0/0 - outside and second subnet is on eth0/1 - outside2. I have default gateway via eth0/0 - outside

I have to make static nat on both subnet. On first outside interface static nat works, on second doesn't. It's possible to make working static nat on both interfaces ?

my conf:

!

interface Ethernet0/0

description WAN1

nameif outside

security-level 0

ip address 60.9.1.50 255.255.255.248

!

interface Ethernet0/1

description WAN2

nameif outside2

security-level 0

ip address 60.9.1.234 255.255.255.248

!

interface Ethernet0/2

description LAN

nameif inside

security-level 100

ip address 192.168.50.254 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat

static (inside,outside) 60.9.1.54 192.168.3.105 netmask 255.255.255.255
static (inside,outside) 60.9.1.51 192.168.1.248 netmask 255.255.255.255
static (inside,outside2) interface 192.168.1.177 netmask 255.255.255.255

access-group outside in interface outside
access-group outside2 in interface outside2

thanks for help

Peter

Eugene Khabarov · ‎10-29-2011

Hi! Generally it is not possible since your replays to outside world will always be through one of the outside interfaces. You can't make routing decision based on incoming interface since ASA don't have VRF tables although you can use multicontext mode and this can solve your problem

Sent from Cisco Technical Support iPhone App

Peter Handke · ‎10-29-2011

thanks for help!

I think that another options is to "merge" this two outside interface into one, just :

ip address 60.9.1.50 255.255.255.0

I know that a few address from this subnet will be unreachable but it's acceptable. I don't see any other disadventages.

Peter

josecalv · ‎10-29-2011

Hello Peter,

Thesee settings that you have should work for inbound TCP traffic on either Outside or Outside2 if you add a secondary default route for Outside2 with a higher metric. For example:

route outside2 0 0 60.9.1.1 200 (Or whatever your default gateway is for Outside2).

So if you want to go to the IP 60.9.1.234 from the Internet this request will hit the ASA and the firewall will then deliver that packet to the server. Then, the return traffic from the server will arrive and since there is an existing connection the firewall will forward the packet via Outside2 instead of Outside.

As you may imagine if you are trying to initiate an outbound connection from a server to a destination on the Internet it will take it's default route and go through the Outside as designed.

I have had around 5 or 6 cases with this scenario and it works fine all the times.

Some other customers just add the static translations for the second range of IP's on the same Outside interface and it works as well (as long as the ISP knows that he needs to forward that traffic to the ASA on the Outside for those IP's).

I hope it helps!

Infuscomus · ‎11-14-2017

I confirm this is the problem. Without the 0-route towards the other WAN(s), the ASA won't know what to do with the traffic even if everything else is perfectly configured.