01-19-2012 07:24 AM - edited 03-11-2019 03:16 PM
Hi guys
I need to setup an ASA 5520 to correctly NAT over two wan links. The idea sounds pretty straingforward but it does not, I have only 2 IPs that are involved with the NAT
192.168.1.10(Nated Server) -- 172.16.1.10(Web Server)
I have 2 interfaces that sould be applied to it let's say outside1, outside2. The server is reacheable through each outside interface, the outside interfaces is selected uppon dynamic routing and that is working OK.
So if link outside1 is up the Nat follows this schema
192.168.1.10(inside) -- 172.16.1.10(outside1)
that works fine, but I want that automagically changes over when the link outside1 is down to
192.168.1.10(inside) -- 172.16.1.10(outside2).
I know I can't have a NAT with 2 IPs and 2 different interfaces (ASDM doesn't allow me to), is there a way to implement this??
Solved! Go to Solution.
01-20-2012 07:53 AM
Sorry really confused now - so the 172.16.1.0/24 is NOT on the inside??? Where is it??? Are you saying that 172.16.1.10 is reachable thru both Outside1 and Outside2 interfaces, and when you are on the Inside, to get to it you want to use IP address 192.168.1.10?? If that is the case - I am not surprised it does not work, as the config is wrong.
01-19-2012 07:38 AM
I do not know about the ASDM - but from the CLI you can do this with no issues.
01-20-2012 05:46 AM
It doesn't works, I can create the static NAT through the CLI (with a warning BTW ASDM does allow me to create it with a big warning message). After create the parallel NAT my ASA doesn't realice that it should use the one accorded to the interfaces that the routing tells it to route the package.
I did try to clear the xlate table, but it didn't work, also tried to disable the interface asociated with this NAT.
The only way to make it works is deleting the other NAT in order to have just one active (the one that the routing protocol is telling is active)
Any other idea??
01-20-2012 05:48 AM
What version are you running? And post what you have tried to configure.
01-20-2012 06:43 AM
8.2
static (inside,outside1) 192.168.1.10 172.16.1.10 netmask 255.255.255.255
static (inside,outside2) 192.168.1.10 172.16.1.10 netmask 255.255.255.255
The routing is eigrp that is working OK
01-20-2012 06:46 AM
OK the way I read that is - the internal machine 172.16.1.10 will be translated and visible on the outside as 192.168.1.10
01-20-2012 06:54 AM
Yes, and it needs to be reached through two wan links that are way different in a failover configuration.
I have a branch office and I want to keep my internal IPs hidden, so I use NAT to achive this.
Any ideas to implement this on the ASA??
I have thought that I can move the routing failover part to a router and use just one interface on the ASA but I need to buy the new router. This is only if the ASA can't do the trick
01-20-2012 07:28 AM
I just put that into a lab firewall - and have no issues, see my test config.
!
interface Ethernet0/0
nameif Outside1
security-level 0
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/1
nameif Outside2
security-level 0
ip address 10.0.2.1 255.255.255.0
!
interface Ethernet0/5
nameif Inside
security-level 100
ip address 172.16.254.250 255.255.255.0
!
access-list outside-in extended permit icmp any any
access-list outside-in extended permit tcp any host 192.168.1.10 eq telnet
!
static (Inside,Outside1) 192.168.1.10 172.16.1.10 netmask 255.255.255.255
static (Inside,Outside2) 192.168.1.10 172.16.1.10 netmask 255.255.255.255
!
access-group outside-in in interface Outside1
access-group outside-in in interface Outside2
!
route Outside1 8.8.8.0 255.255.255.0 10.0.1.254 1
route Outside2 9.9.9.0 255.255.255.0 10.0.2.254 1
route Inside 172.16.1.0 255.255.255.0 172.16.254.254 1
ciscoasa# show xlate
2 in use, 2 most used
Global 192.168.1.10 Local 172.16.1.10
Global 192.168.1.10 Local 172.16.1.10
ciscoasa#
from my lab routers, I could ping and telnet to the external address thru to 2 seperate interfaces to the internal lab router - all works OK.
01-20-2012 07:44 AM
This is pretty much the scenario, just 2 things I'm missing
The route to 172.16.1.0 is not applied to Inside it is applied to each Outside according to the EIGRP process.
I also can see the xlate table correctly active.
I know it should work pretty straightforward as I said but it doesn't
01-20-2012 07:53 AM
Sorry really confused now - so the 172.16.1.0/24 is NOT on the inside??? Where is it??? Are you saying that 172.16.1.10 is reachable thru both Outside1 and Outside2 interfaces, and when you are on the Inside, to get to it you want to use IP address 192.168.1.10?? If that is the case - I am not surprised it does not work, as the config is wrong.
01-20-2012 08:03 AM
Yes, that is the case
In the branch office I want to reach the 172.16.1.10 thru both Outside1 and Outside2 hiding the 172.16.1.10 with 192.168.1.10.
Can you tell me if that is achievable and what errors do I have?
I know this is not an usual configuration (at least I haven't found anything like it) I'm sorry to confuse you
01-20-2012 08:12 AM
so just to be clear - the Inside network is 192.168.1.0/24 from the outside1 and outside2 you want to connect to 192.168.1.10 BUT you need it via 172.16.1.10?
static (inside,outside1) 172.16.1.10 192.168.1.10
static (inside,outside2) 172.16.1.10 192.168.1.10
01-20-2012 08:18 AM
To be clear
inside is 192.168.1.0/24
remote is 172.16.1.0/24
I don't want inside-net (not just 192.168.1.0) to know 172.16.1.0.
What I need is if inside telnets 192.168.1.10 it goes to 172.16.1.10 (independent from which Outside interface is active and routing)
so far I have static(inside,outside1) 192.168.1.10 172.16.1.10 (that works pretty well but if outside1 goes offline, I have to change it to outside2, deleting outside1)
01-20-2012 08:31 AM
Thanks for the clarification - try this config
static (outside1,inside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255
static (outside2,inside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255
You might get an error - ignore it.
01-20-2012 08:35 AM
Thank you Andrew
I'll give it a try tonight since it is a production environment.
I'll let you know the results
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: