Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Dynamic NAT rules for backup ISP circuit

Hi

I need to configure a backup circuit using IP SLA, routes with metrics, static nat rules for VPNS and so on, and that all makes perfect sense.

I am however stuck on how I setup the dynamic NAT rules so that traffic from internal to Internet is natted to the backup ISP public IP addresses in the event of primary circuit outage.

The dynamic NAT rules are as follows:

object network XXX-CORP

nat (CORP_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-WIFI

nat (WIFI_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-PROD

nat (PROD_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-DMZ

nat (DMZ_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

object network XXX-OPS

nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

I am guessing there is a way to add something like:

object network XXX-OPS

nat (OPS_RANGE,PRIMARY_ISP) dynamic 8x.2xx.x.2xx

nat (OPS_RANGE,SECONDARY_ISP) dynamic 19x.1xx.3x.1xx secondary

Thanks in advance, and of course I will provide more info if required.

Dentist

3 REPLIES
Super Bronze

Dynamic NAT rules for backup ISP circuit

Hi,

You essentially just add a new Dynamic PAT rule for each of the required local network towards the second ISP

The Routing and SLA configurations handle which interface and which Dynamic PAT is used.

Notice that you can not configure 2 "nat" configurations under a single "object". You will simply need to make 2 Dynamic PAT configurations for each of your internal networks.

You can naturally configure a single Dynamic PAT rule per ISP per ALL internal networks with the below configuration format

object-group network ISP1-PAT-SOURCE

network-object

network-object

network-object

nat (any,isp1) after-auto source dynamic ISP1-PAT-SOURCE interface

object-group network ISP2-PAT-SOURCE

network-object

network-object

network-object

nat (any,isp2) after-auto source dynamic ISP2-PAT-SOURCE interface

So looking at the above configuraitons you could simply configure all the internal networks under an "object-group" and then use that "object-group" in a "nat" configurations to do Dynamic PAT for all your internal networks towards one ISP. You could create the same type of configurations for the other ISP also.

And as I said before you can also simply configure Dynamic PAT with Auto NAT / Network Object NAT for each of the internal networks separately

For example

object network WIFI-ISP2-PAT

subnet

nat (WIFI_RANGE,SECONDARY_ISP) dynamic interface (or IP)

Hope this helps

Let me know how it goes.

- Jouni

Community Member

Dynamic NAT rules for backup ISP circuit

Hi Jouni

Thanks for your answer, I had come to a similar conclusion with the after-auto after reading another of your threads but as yet I have not tested it.  I will do in the next few days and will then update you.

Regards,

Paul

Community Member

A few days turned into 9

A few days turned into 9 months but got there in the end.  

WAN failover (when using multiple NAT rules and VPN Tunnels) only works properly on ASA5512x and higher when using version 9.2(1) that supports event manager.  configure a tracked route, SLA and Event manager actions that remove and add config when triggered.

Thanks

Dentist55

 

 

179
Views
0
Helpful
3
Replies
CreatePlease to create content