Currently I have a single Internet link. Natting is done in my ASA 5520.
I am moving to a Dual internet link.
Natting will be done in the ASA 5545 x on the side labeled Site_1 for internal DMZ servers (services)
The natted subnet range will be advertised out both Site_1 and Site_2 internet links via BGP
AS Path pre-pending will be used on the Site_2 to make Site_1 more preferred path
My ASR's have HSRP across the DMZ trunk between the sites and fail over has been tested and verified.
Goal: - "No single point of failure"
Problem requiring a solution: Alternate Natting on Site_1 ASA
IF Internet goes down but ASA remains up at Site_1
natting still occurs
HSRP will failover and we are good to go
Traffic will cross the DMZ link between the switches
Traffic going out will be secured by the HSRP config
If the DMZ switch at Site_1 is lost Then outside interface of the ASA at Site_1 is also lost -Natting can still occur but traffic will have to be sent across the L3 link between the NEXUS devices. Natted ip’s are then sent back into Nexus for routing across the Nexus L3?? This does not sound correct!!
-EIGRP statement in ASA @ Site_1, (Network Natted subnet 170.x.203.0) will advertise down to the Nexus at Site_1.
-EIGRP on Nexus @ Site_1 will advertise the 170.x.203.0 network to Nexus @ Site_2.
-Nexus at Site_2 will advertise this up the Site_2 ASA
IF ASA at Site_1 is completely lost, both Pri and Secondary How would internal services living at Site_1 get natted at all?
-IPSLA statement in Nexus to redirect. IPSla will monitor the outside ip address of the Local ASA. If that ip address is no longer accessible, then use L3 ip address of neighbor Nexus.
IS there a way to have an alternate NAT, secondary NAT solution on the Site_2 ASA that will still be recognized by external user's?
Is there a way to account for Business partners who have firewall rules allowing our curretn natted subnet?
Basically If the DMZ subnet 172.x.x.x ip addresses, that currently reside on the Site_1 Nexus come into the Site_2 ASA, then they will be natted to 170.x.x?
Is it possible to have "weighted" natting on seperate ASA's for the same external subnet?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...