Also,

As Andrew pointed out, it might not hurt to redo the NAT ordering of your firewall since at the moment the Default PAT rules might override some of your new NAT rules that you configure and you will have to keep an eye where to insert new rules. In general I wouldnt insert NAT rules are the "default" rules for some traffic (Internet in this case) to so high in the priorty of the ASAs NAT configurations.

When configured with the "after-auto" parameter they are inserted into Section 3 where they wont affect the more specific NAT rules.

- Jouni

Thanks both.

Jouni you raised an interesting point regarding our second outside interface.

It's a standby ADSL line that is only used when primary goes down. Our ASA is configured with

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 track 1

route outside_backup 0.0.0.0 0.0.0.0 Y.Y.Y.Y 254

and

sla monitor 123

type echo protocol ipIcmpEcho X.X.X.X interface outside

sla monitor schedule 123 life forever start-time now

I am now wondering if the cause is outside route failover to outside_backup.

We have no L2L VPN configuration in place for outside_backup interface so NAT exemption rules for outside_backup are not needed.

Will take a closer look at the routes when it happens again.

Hi,

Heres one link regarding the changes which have been done in the latest 8 series software. And more specifically between its Maintanance releases 8.4(1) to 8.4(2)

http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

This is more related to the NAT0 / Identity NAT operation in your software level and how that acts with the Egress interface decision and Route lookups.

- Jouni

Hi,

I have tried lab this setup at home for some time now and I cant really confirm what is stated in the above sites text.

If I understood the situation correctly then when configuring Identity NAT for example for L2L VPN then in software level 8.4(2) the ASA should by default use the NAT configuration to determine the eggress interface for some certain traffic.

In my case it seems that Route Lookup is done even if its not enable in the NAT configuration.

I configure an ASA5520 with 8.4(2) with Dual ISP and ASA 5505 8.2(1) as the L2L VPN Remote Site device.

• I first configured the Dual ISP setup on the ASA5520 and confirmed it was working ok for normal outbound traffic.
• I then configured the ASA5505 and confirmed its connectivity
• I then attached hosts behind both ASAs
• I then configured L2L VPN between the sites while configuring ASA5505 with 2 Peer IPs, both of the WAN IPs of the ASA 5520
• I then configured the Identity NAT from the ASA5520 LAN to the Remote Site LAN for both of the WAN interfaces of the ASA5520
• I remotely blocked the ICMP echo used to monitor the ISP1 link on ASA5520 with the result that 
  • ISP1 default route was switched to ISP2 default route
  • L2L VPN connection switched to use the ISP2 link
  • Traffic from the LAN behind ASA5520 started using the ISP2 link Identity NAT configuration istead of the ISP1 one that is configured before it

To my understanding the above behaviour seems to contradict the text in the above link I posted.

It states that starting from 8.4(2) NAT decides the eggress interface and NOT the Route Lookup. (Though you could configure "route-lookup" separately) In my case wether I configured "route-lookup" or not made no difference. Traffic was still switching between the NAT rules and more specifically the destination/eggress interfaces according to the routing table changes.

Could someone tell me if I am missing something here

According to the above test Andrey, you should be able to make sure that the L2L VPN would work through the other ISP link simply by doing the following things.

• Configure Identity NAT / NAT0 for the other "outside" interface
• Confirm that the remote site has L2L VPN configurations for both of your WAN IPs 
  • crypto map
  • tunnel-group configurations
  • tunnel-group configurations

EDIT:

I first thought the L2L VPN configuration had something to do with this operation and then I built an Identity NAT configuration which destination address isnt behind the L2L VPN and the results were the same. The NAT rule being used got switches as soon as the changes in the default route happend on the ASA.

- Jouni

Message was edited by: Jouni Forss

For the sake of testing I decided to boot the ASA5520 with 8.4(5) software.

After the boot the latest 8.4 software level it would seem that the NAT is NOW behaving the way the Cisco document states but still leaves the question why does the document state that this should already be the case in software 8.4(2)

The release notes of 8.4(2) already state this change in NAT operation

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp535067

So I kind of start to wonder if this is somehow related to some of the bugs in the new Twice NAT / Manual NAT configurations formats.

- Jouni

Hello,

I just confirmed the same behavior than you Jouni, I ran a lab and got the same result,

Routing taking place...

Very interesting. So if I understand this correctly you think we are seen this behaviour because the pimary route goes down?

In that case why do VPN tunnels stay up? When this happens all of our VPN tunnels are active with hours of session time on each. Surely if the default route fails over to outside_backup, IPSEC traffic would be routed out via outside_backup interface and peer IP on our end would be different which should cause IKE phase 1 to fail and L2L VPN session to tear down. Or am I missing something?

Many thanks.  

Hi,

At this point I can only speculate.

In many situation I think a L2L VPN can stay in UP state even though the actual connection isnt working. We dont know what exactly is happening in your situation since we have only seen the NAT configurations. Impossible to do anything else than guess. I dont know if the whole "outside" interface goes down or if there is something else that simply prevents the ICMP tracking from working.

I cant see how your VPN configurations are done. For example is the cryptomap attached to both of the "outside" interfaces and if "crypto ikev1 enable outside_backup" is configured. I can only guess that there is a possibility that if you dont have VPN configurations for the other "outside_backup" interface that the L2L VPN might actually hang on the "outside" interface even though the connection aint working.

As I have said before, I have never had the need to setup a Dual ISP with ASA before so I have never done this in production environment and therefore have never had to troubleshoot it and therefore cant give you an answer right here and now. I did lab this setup at home and still have it there.

What I can say according to the above NAT configuration is that you dont have the L2L VPN related NAT configurations for the "outside_backup" interface so because of that atleast the L2L VPN wont work.

- Jouni

Looks like dual ISP setup was the culprit. I ve increased the tolerance level on the primary route monitoring and we havent had any issues since.

Many thanks for you help.