Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Dual ISP with NAT Trouble

I am hoping someone can throw me a life jacket on this small dilemma.  I am trying to configure dual ISPs with an ASA.  I have followed the guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml and the failover occurs seamlessly but I feel there is a step missing from the guide: dual NAT.

When the failover occurs traffic still dies at the ASA because it is unable to find a NAT pool for the backup ISP interface (and backup ISP IPs).  And, I have yet to find a way to program a second NAT rule that falls over to that backup interface when the primary outside fails.

Help would be greatly appreciated!

Below is a diagram of the layout with both ISP router and active/standby ASAs for your reference:

cisco question diagram.png

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Dual ISP with NAT Trouble

With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.

That is also mentioned in the guide:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

2 REPLIES
VIP Purple

Dual ISP with NAT Trouble

With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.

That is also mentioned in the guide:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Dual ISP with NAT Trouble

That was it... I was trying to use two globals with different NAT IDs.  Just had to modify the backup one to use the same ID and it tested successfully.  Thanks!

877
Views
0
Helpful
2
Replies
CreatePlease to create content