Cisco ASA Series Cli Configuration Manual page 1619

Chapter 1 Setting General VPN Parameters
hostname(config-tunnel-general)# no nat-assigned-to-public-ip
Displaying VPN NAT Policies
Address translation uses the underlying object NAT mechanisms; therefore, the VPN NAT policy
displays just like manually configured object NAT policies. This example uses 95.1.226.4 as the assigned
IP and 75.1.224.21 as the peer's public IP:
prompt# show nat
Auto NAT Policies (Section 2)
1 (outside) to (inside) source static _vpn_nat_95.1.226.4 75.1.224.21
prompt# show nat detail
Auto NAT Policies (Section 2)
1 (outside) to (inside) source static _vpn_nat_95.1.226.4 75.1.224.21
Outside is the interface to which the AnyConnect client connects and inside is the interface specific to
the new tunnel group.
Note
Since VPN NAT policies are dynamic and not added to the configuration, the VPN NAT object and NAT
policy are hidden from the show run object and show run nat reports.
Understanding Load Balancing
If you have a remote-access configuration in which you are using two or more ASAs or VPN
Concentrators connected on the same network, you can configure these devices to share their session
load. This feature is called load balancing. To implement load balancing, you group together logically
two or more devices on the same private LAN-to-LAN network, private subnet, and public subnet into a
virtual cluster.
All devices in the virtual cluster carry session loads. Load balancing directs session traffic to the
least-loaded device in the cluster, which distributes the load among all devices. It makes efficient use of
system resources and provides increased performance and high availability.
One device in the virtual cluster, the virtual cluster master, directs incoming traffic to the other devices,
called backup devices. The virtual cluster master monitors all devices in the cluster, keeps track of how
busy each is, and distributes the session load accordingly. The role of virtual cluster master is not tied to
a physical device; it can shift among devices. For example, if the current virtual cluster master fails, one
of the backup devices in the cluster takes over that role and immediately becomes the new virtual cluster
master.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not
tied to a specific physical device. This address belongs to the current virtual cluster master, which makes
it virtual. A VPN client attempting to establish a connection connects first to this virtual cluster IP
address. The virtual cluster master then sends back to the client the public IP address of the least-loaded
available host in the cluster. In a second transaction (transparent to the user), the client connects directly
to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources.
translate_hits = 315, untranslate_hits = 315
translate_hits = 315, untranslate_hits = 315
Source - Origin: 95.1.226.4/32, Translated: 75.1.224.21/32
Understanding Load Balancing
Cisco ASA Series CLI Configuration Guide
1-7