Double NAT in Cisco ASA

sivak80nayan · March 22, 2019, 2:30pm

I am in requirement of double NAT (Primary and Secondary) in Cisco ASA, I need to configure single public IP to 2 different Inside Local IP address, in any case primary IP address fails, ASA should nat public IP to secondary IP. How do I achieve this? attached a sample NW diagram to understand more.

My objective is to translate single public IP to single private IP (1 to 1 mapping) but in case if this fail, the second entry with same public IP to another private IP has to take care Natting decision without manual entry.

ReneMolenaar · March 28, 2019, 3:53pm

Hi Sivakumar,

Good question, I think this is difficult on the ASA. You need something to track the 10.0.0.3 and 10.0.0.4 address. You can use object tracking on the ASA for static routes, but not for NAT.

You might be able to pull it off with EEM though. Configure IP SLA, then use EEM to change your NAT configuration when something happens. IP SLA only supports ICMP so it’s not that reliable.

Wouldn’t you be better off adding a load balancer in front of your two servers?

Rene

sivak80nayan · March 28, 2019, 4:18pm

Thanks for the reply. It would be appreciable, if you can share EEM configuration.

ReneMolenaar · March 28, 2019, 4:58pm

Hello Sivakumar,

I have an example of EEM on Cisco IOS that should be useful:

Rene

sivak80nayan · March 31, 2019, 1:56pm

Dear Rane, the command that used in Router is not showing in ASA, could you share EEM IPLA configuration commands in Cisco ASA.

lagapidis · April 1, 2019, 6:14am

Hello Sivakumar

The EEM feature shown in the lesson is for Cisco IOS routers. ASAs have a similar EEM feature as well. You can find out more about it and the method of configuration at this Cisco documentation:

I hope this has been helpful!

Laz

sivak80nayan · April 1, 2019, 7:17am

Thanks for the reply. My requirement is to monitor IP SLA track and take the action using EEM script in Cisco ASA (5555X). As mentioned in the tutorial, I can see multiple event condition including IP SLA in Cisco IOS. But in ASA, there are only 4 event condition, crash info, syslog ID, Timer etc. How could I create IP SLA event condition in event applet using EEM script in Cisco ASA. You can refer my Network diagram.

ReneMolenaar · April 3, 2019, 7:29am

Hi Sivakumar,

I see EEM is quite limited on the ASA. The only thing you can do is track a syslog ID:

event manager applet depletedblock
 description "Take a snapshot of block output when it is depleted"
 event syslog id 321007 period 600
 action 1 cli command "show blocks pool 1550 dump"
 output file rotate 10

Technically, you could probably configure IP SLA with object tracking, then use EEM with the syslog ID for object tracking.

I never tested this so you’d have to lab it up and try. I think you are better off with a load balancer though, you can use IP SLA but all you can do is use ICMP. It’s possible that your server responds to ICMP but that you can’t connect to it, something your ASA will never be able to detect with IP SLA.

Rene