Is an extra layer of NAT okay?

Answered Question

We have an ASA going to a router that is connected to two ISP's, but no BGP. The ASA is using PAT with an IP from ISP-1, so even when traffic is routed out to ISP-2, it comes back via ISP-1. Is it okay to do PAT again on the ISP-2 interface, so traffic will come back to this interface?

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 4 months ago

David

The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Jon Marshall Fri, 08/29/2008 - 07:09

If the applications work okay with PAT in the first place then there should be no problem with doing PAT on the packet again.

Jon

Correct Answer
Richard Burts Fri, 08/29/2008 - 07:36

David

The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.

HTH

Rick

tdrais Fri, 08/29/2008 - 07:54

The issue you may have is how you decide to route traffic out ISP-1 and ISP-2.

If a single user machine could go out either interface and therefore appear on the internet as 2 different source address you may have a issue. For most things there are no issues but one example would be. If traffic to server A goes out isp-1 and natted ip address X and traffic to server B goes out ISP-2 and is natted ip address Y. If the application on server A would authenticate your ip X and then tell server B to allow this ip. When you traffic actually gets to server B using address Y it will be rejected.

To avoid things like this you need to make sure a single inside machine always appears as the same address. It is a little tougher in your case because the router cannot see the original ip that the ASA natted.

Actions

This Discussion