Avoid Double NAT for External Firewall Interface on WAN2

Bswc1420 · April 14, 2014, 3:37am

Hello, I’ve looked over posts similar to my situation but was unable to find an answer.

We currently have 2 Cisco ASA’s deployed in Active/Standby High Availability configuration with 2 internet links.

We have purchased a Peplink Balance 380 and hope to use it to balance the WAN links. I plan to use “Drop-in” mode for WAN 1 but would rather not assign a public IP to WAN2 and avoid using NAT. If this is done, a double NAT scenario would be created as the firewalls are performing NAT as well. Both links are hosting externally available services and double NAT means double the configuration changes. Is there another way to configure the 2nd WAN link?

Thank you,
Ben

TK_Liew · April 14, 2014, 11:29am

Hi,

There is no way to avoid NAT on WAN2. When you enable Drop-in at WAN1, LAN and WAN1 are in bridge mode which are public IPs from ISP1. However WAN2 having different Public IPs from ISP2. In order to allow traffic go out to WAN2, we need to NAT ISP1 to ISP2 IP.

Hope this clear your doubts.

FrontierComputerCorp · April 14, 2014, 9:57pm

Hi Bswc1420,

you may want to take a look at this page as it illustrates drop-in mode with one-to-one NAT mappings for the additional lines
http://www.peplink.com/knowledgebase/configuring-one-to-one-nat-mappings/

I hope this helps

Thanks,
Taylor