Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NATTING for failover on a Dual internet link



See diagram for topology


Currently I have a single Internet link. Natting is done in my ASA 5520.

I am moving to a Dual internet link.

     Natting will be done in the ASA 5545 x on the side labeled Site_1 for internal DMZ servers (services)

     The natted subnet range will be advertised out both Site_1 and Site_2 internet links via BGP

     AS Path pre-pending will be used on the Site_2 to make Site_1 more preferred path


My ASR's have HSRP across the DMZ trunk between the sites and fail over has been tested and verified.



Goal: - "No single point of failure"


Problem requiring a solution: Alternate Natting on Site_1 ASA


               IF Internet goes down but ASA remains up at Site_1

                   natting still occurs

                   HSRP will failover and we are good to go

                   Traffic will cross the DMZ link between the switches

                   Traffic going out will be secured by the HSRP config


               If the DMZ switch at Site_1 is lost
                    Then outside interface of the ASA at Site_1 is also lost
                   -Natting can still occur but traffic will have to be sent across the L3 link between the NEXUS devices.
                    Natted ip’s are then sent back into Nexus for routing across the Nexus L3?? This does not sound correct!!
                  -EIGRP statement in ASA @ Site_1, (Network Natted subnet 170.x.203.0) will advertise down to the Nexus at Site_1.
                  -EIGRP on Nexus @ Site_1 will advertise the 170.x.203.0 network to Nexus @ Site_2.
                  -Nexus at Site_2 will advertise this up the Site_2 ASA



              IF ASA at Site_1 is completely lost, both Pri and Secondary
                  How would internal services living at Site_1 get natted at all?

                  -IPSLA statement in Nexus to redirect.
                       IPSla will monitor the outside ip address of the Local ASA. If that ip address is no longer accessible,
                       then use L3 ip address of neighbor Nexus.

                   IS there a way to have an alternate NAT, secondary NAT solution on the Site_2 ASA that will still be recognized by external user's?

                       Is there a way to account for Business partners who have firewall rules allowing our curretn natted subnet?                        


                   Basically If the DMZ subnet 172.x.x.x ip addresses, that currently reside on the Site_1 Nexus come into the Site_2 ASA,
                   then they will be natted to 170.x.x?

                       Is it possible to have "weighted" natting on seperate ASA's for the same external subnet?





New Member

Does anyone have any guidance

Does anyone have any guidance on this complex design scenario?