Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem Nat with VPN failover on ASA5512x?

Dear all Expert,

Please help me to advice on static nat ASA5512x with i using failover VPN connection.

Let me share as below:

on my ASA 5515x i'm using 4 interface ( Wan, Lan, localLoop01(VPN01) and localLoop02(VPN02). on my configuration i configure failover VPN from HQ to Branches by LocalLoop 01 and LocalLoop 02. and i'm using IP sla for failover routing . for VPN connection is working with primary( LocalLoop01) and when the primary donw the routing change to Backup ( LocalLoop02) but we problem on Static nat it now work. please see command as below:

nat (inside,localLoop01) source static HQ-LAN HQ-LAN destination static branch01 branch01

nat (inside,localLoop02) source static HQ-LAN HQ-LAN destination static branch01 branch01

if i want to back up VPN up ( LocalLoop02) i need to delete Static nat ( inside,LocalLoop01) then the VPN secondary is up. 

do you konw which command static auto for static, i don't need when the primary donw i need to delete on static .

 

Best Regards,

Rechard

 

  • VPN
4 REPLIES
VIP Purple

It's very likely that the

It's very likely that the problem is only the missing keyword "no-proxy-arp route-lookup" in your NAT-statements:

nat (inside,localLoop01) source static HQ-LAN HQ-LAN destination static branch01 branch01 no-proxy-arp route-lookup
nat (inside,localLoop02) source static HQ-LAN HQ-LAN destination static branch01 branch01 no-proxy-arp route-lookup

 

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Dear Karsten, Thanks you for

Dear Karsten,

 

Thanks you for your command.

I will test this command by end this week becuse now the system is running.

i will let you know after i test. 

Best Regards,

Rechard

New Member

Dear Karsten, It very nice

Dear Karsten,

 

It very nice for your advice !!!!

now it is working on fail over after i follow your command that you gave me.

Could i ask you one question for forwarding port on ASA?

if we have 2 ISP and using forwarding port , if the primary down how can we switch forwarding port to secondary ISP?

 

Best Regards,

Rechard

VIP Purple

Both incoming port-forwarding

Both incoming port-forwarding will work simultaneously, not only when the primary line is down.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
46
Views
0
Helpful
4
Replies