cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1627
Views
0
Helpful
22
Replies

Resilient NAT

Sunset666_2
Level 1
Level 1

Hi guys

I need to setup an ASA 5520 to correctly NAT over two wan links. The idea sounds pretty straingforward but it does not, I have only 2 IPs that are involved with the NAT

192.168.1.10(Nated Server) -- 172.16.1.10(Web Server)

I have 2 interfaces that sould be applied to it let's say outside1, outside2. The server is reacheable through each outside interface, the outside interfaces is selected uppon dynamic routing and that is working OK.

So if link outside1 is up the Nat follows this schema

192.168.1.10(inside) -- 172.16.1.10(outside1)

that works fine, but I want that automagically changes over when the link outside1 is down to

192.168.1.10(inside) -- 172.16.1.10(outside2).

I know I can't have a NAT with 2 IPs and 2 different interfaces (ASDM doesn't allow me to), is there a way to implement this??

1 Accepted Solution

Accepted Solutions

Sorry really confused now - so the 172.16.1.0/24 is NOT on the inside??? Where is it???  Are you saying that 172.16.1.10 is reachable thru both Outside1 and Outside2 interfaces, and when you are on the Inside, to get to it you want to use IP address 192.168.1.10?? If that is the case - I am not surprised it does not work, as the config is wrong.

View solution in original post

22 Replies 22

andrew.prince
Level 10
Level 10

I do not know about the ASDM - but from the CLI you can do this with no issues.

It doesn't works, I can create the static NAT through the CLI (with a warning BTW ASDM does allow me to create it with a big warning message). After create the parallel NAT my ASA doesn't realice that it should use the one accorded to the interfaces that the routing tells it to route the package.

I did try to clear the xlate table, but it didn't work, also tried to disable the interface asociated with this NAT.

The only way to make it works is deleting the other NAT in order to have just one active (the one that the routing protocol is telling is active)

Any other idea??

What version are you running?  And post what you have tried to configure.

8.2

static (inside,outside1) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

static (inside,outside2) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

The routing is eigrp that is working OK

OK the way I read that is - the internal machine 172.16.1.10 will be translated and visible on the outside as 192.168.1.10

Yes, and it needs to be reached through two wan links that are way different in a failover configuration.

I have a branch office and I want to keep my internal IPs hidden, so I use NAT to achive this.

Any ideas to implement this on the ASA??

I have thought that I can move the routing failover part to a router and use just one interface on the ASA but I need to buy the new router. This is only if the ASA can't do the trick

I just put that into a lab firewall - and have no issues, see my test config.

!

interface Ethernet0/0

nameif Outside1

security-level 0

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet0/1

nameif Outside2

security-level 0

ip address 10.0.2.1 255.255.255.0

!

interface Ethernet0/5

nameif Inside

security-level 100

ip address 172.16.254.250 255.255.255.0

!

access-list outside-in extended permit icmp any any

access-list outside-in extended permit tcp any host 192.168.1.10 eq telnet

!

static (Inside,Outside1) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

static (Inside,Outside2) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

!

access-group outside-in in interface Outside1

access-group outside-in in interface Outside2

!

route Outside1 8.8.8.0 255.255.255.0 10.0.1.254 1

route Outside2 9.9.9.0 255.255.255.0 10.0.2.254 1

route Inside 172.16.1.0 255.255.255.0 172.16.254.254 1

ciscoasa# show xlate

2 in use, 2 most used

Global 192.168.1.10 Local 172.16.1.10

Global 192.168.1.10 Local 172.16.1.10

ciscoasa#

from my lab routers, I could ping and telnet to the external address thru to 2 seperate interfaces to the internal lab router - all works OK.

This is pretty much the scenario, just 2 things I'm missing

The route to 172.16.1.0 is not applied to Inside it is applied to each Outside according to the EIGRP process.

I also can see the xlate table correctly active.

I know it should work pretty straightforward as I said but it doesn't

Sorry really confused now - so the 172.16.1.0/24 is NOT on the inside??? Where is it???  Are you saying that 172.16.1.10 is reachable thru both Outside1 and Outside2 interfaces, and when you are on the Inside, to get to it you want to use IP address 192.168.1.10?? If that is the case - I am not surprised it does not work, as the config is wrong.

Yes, that is the case

In the branch office I want to reach the 172.16.1.10 thru both Outside1 and Outside2 hiding the 172.16.1.10 with 192.168.1.10.

Can you tell me if that is achievable and what errors do I have?

I know this is not an usual configuration (at least I haven't found anything like it) I'm sorry to confuse you

so just to be clear - the Inside network is 192.168.1.0/24 from the outside1 and outside2 you want to connect to 192.168.1.10 BUT you need it via 172.16.1.10?

static (inside,outside1) 172.16.1.10 192.168.1.10

static (inside,outside2) 172.16.1.10 192.168.1.10

To be clear

inside is 192.168.1.0/24

remote is 172.16.1.0/24

I don't want inside-net (not just 192.168.1.0) to know 172.16.1.0.

What I need is if inside telnets 192.168.1.10 it goes to 172.16.1.10 (independent from which Outside interface is active and routing)

so far I have static(inside,outside1) 192.168.1.10 172.16.1.10 (that works pretty well but if outside1 goes offline, I have to change it to outside2, deleting outside1)

Thanks for the clarification - try this config

static (outside1,inside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

static (outside2,inside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

You might get an error - ignore it.

Thank you Andrew

I'll give it a try tonight since it is a production environment.

I'll let you know the results

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: