We are currently running ASA9 at a location with redundant ip connectivity. We'd love to configure ip sla so that internet access survives a single carrier outage. I'm aware of the ip sla commands, however when I've tried to prepopulate the required NAT rules, the addition of the second rule will overwrite the first. Here is an example:
object network NYHQ_GUESTWIRELESS_10.110.6.0_24
nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_FIOS) dynamic interface
When I attempt to add an additional nat rule, perhaps
nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface
The new rule overwrites the preexisting rule, as so:
object network NYHQ_GUESTWIRELESS_10.110.6.0_24
nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface
Is there any way that I can have both of these rules in place so that NAT can cooperate with our SLA rules to ensure that regardless of which provider is used, NAT still works properly?
The way that we deal with this is to create an separate object group for interface that we want to have redundant connectivity to, it is a little messy but it should work for what you need.
So you would have a FIOS object
and a Cogent object
And you should be all set.
It is a pain if you have multiple servers and multiple upstreams, but it works for us. I am sure there is a more streamlined solution and am interested in what others are doing to solve this issue.