Cisco ASA 5520 8.2 / 2 ISPs setup for redundancy / NAT issues

I have a Cisco ASA 5520 firewall running 8.2 code (old NAT code).

I have 2 interfaces, each with a unique ISP attached to them. I want to use one as my primary internet, and one as a backup circuit.

To do this, I followed these instructions from Cisco on how to setup a 2nd default route with a higher metric, and have the primary default route use a track statement to monitor link state of my primary ISP.

The routing works beautifully. When I unplug my primary internet circuit, the metric 1 default route gets removed, and the metric 2 kicks in, making that the live circuit for routing to the internet.

The problem I'm running into is with my Dynamic NAT configuration. I have a Dynamic NAT setup as follows:

nat (Inside) 1

So that represents Global Pool 1, which is my Primary ISP interface. Global Pool 2 is the backup ISP interface

I figured that I could add a 2nd NAT as follows:

nat (Inside) 2

As soon as I do that, I lose all internet connectivity, presumably because my default route is still using the primary ISP, because that circuit is live, and the new NAT is overriding the original NAT.

Is there a way to have both NATs in the configuration at the same time? That way when the primary circuit goes down, and the default route changes, the NAT is there for computers to translate on, over the backup circuit.

I know with code 8.3 and newer this is very easy. I actually have done this with an 8.3 ASA, but unfortunately I don't have the option of upgrading at this time.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vjz1Author Commented:
also, I do have a Security Plus license.
Jan SpringerCommented:
Typically, I would call the outside interfaces outside_1 and outside_2.  Then configure two global PAT statements -- one for each outside interface.

Your inside NAT statement remains the same.  You don't need a second.
Vjz1Author Commented:
Thanks for the quick response.

Any chance you know where to enter a global PAT statement while in ASDM?

I guess I don't understand why my inside NAT statement doesn't need to change. It's currently tied to my OUTSIDE_1 interface. If I need to translate over a different interface, how will that even work?
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Jan SpringerCommented:
Your inside NAT statement says "NAT anything coming in this interface that transits out an interface defined for the same."  It is tied to your inside interface.

No, to ASDM.  Can you get to CLI?
Vjz1Author Commented:
Ok so here is what I have:

global (Outside_1) 1 interface
global (Outside_2) 2 interface

nat (Inside) 1

With this in place, I translate properly over Outside_1.

What NAT do I need to be able to translate over Outside_2?

Yes, I have CLI access.

I feel like this is so close. I'm just missing one little thing.

Thanks again.
Jan SpringerCommented:
I would make this the first rule for the second interface:

global (Outside_2) 1 interface

Your entire NAT config:

nat (inside) 1
nat (Outside_1) 1 interface
nat (Outside_2) 1 interface

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vjz1Author Commented:
That did it.

I didn't realize I could add more than 1 interface to the same pool.

Thanks a bunch!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.