Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
3
Replies

inbound policy nat

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎02-16-2010 07:17 AM - edited ‎03-11-2019 10:10 AM

I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface.  We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route.  The return traffic from the load balancer to hosts coming from the Internet needs a route back.  What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet.  It leads to an asymmetrical routing issue behind the firewall.

Internet -> ASA - DMZ - WebserversDMZ

                    |         |

                 inside -- Load Balancer

                     |

                WebserversINSIDE

Is there a way to create a policy nat that states something like

access-list policyNAT perm ip any host WebserversDMZ

nat (outside) 2 access-li policyNAT

global (outside) 2 10.21.5.5 netmask 255.255.255.224

so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route?  Or does this only work for outbound traffic?  I can't see how a static statement would work in this scenario for outside to inside translation. 

thank you

Bill

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-16-2010 08:28 AM 

wstegman wrote:
I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface.  We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route.  The return traffic from the load balancer to hosts coming from the Internet needs a route back.  What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet.  It leads to an asymmetrical routing issue behind the firewall.
Internet -> ASA - DMZ - WebserversDMZ
                    |         |
                 inside -- Load Balancer
                     |
                WebserversINSIDE 
Is there a way to create a policy nat that states something like
access-list policyNAT perm ip any host WebserversDMZ
nat (outside) 2 access-li policyNAT
global (outside) 2 10.21.5.5 netmask 255.255.255.224




so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route?  Or does this only work for outbound traffic?  I can't see how a static statement would work in this scenario for outside to inside translation. 




thank you




Bill

Bill

You can do inbound policy NAT from the outside although from your example it's not entirely clear what you are trying to do. Is 10.21.5.5 meant to be an address on the DMZ ?

Here is an example of inbound policy NAT

access-list PNAT permit ip any host Webserver_dmz

nat (outside) 2 access-list PNAT outside <-- note the additional "outside" keyword at the end, this is important

global (dmz) 2 interface

what the above would do is NAT any source internet addresses to the DMZ interface IP address. So the webserver in the DMZ sees the source as the DMZ interface and just sends it back there.

I'm not entirely sure this is what you want though. If not could you be more specfic in what you want ?

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-16-2010 08:28 AM 

wstegman wrote:
I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface.  We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route.  The return traffic from the load balancer to hosts coming from the Internet needs a route back.  What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet.  It leads to an asymmetrical routing issue behind the firewall.
Internet -> ASA - DMZ - WebserversDMZ
                    |         |
                 inside -- Load Balancer
                     |
                WebserversINSIDE 
Is there a way to create a policy nat that states something like
access-list policyNAT perm ip any host WebserversDMZ
nat (outside) 2 access-li policyNAT
global (outside) 2 10.21.5.5 netmask 255.255.255.224




so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route?  Or does this only work for outbound traffic?  I can't see how a static statement would work in this scenario for outside to inside translation. 




thank you




Bill

Bill

You can do inbound policy NAT from the outside although from your example it's not entirely clear what you are trying to do. Is 10.21.5.5 meant to be an address on the DMZ ?

Here is an example of inbound policy NAT

access-list PNAT permit ip any host Webserver_dmz

nat (outside) 2 access-list PNAT outside <-- note the additional "outside" keyword at the end, this is important

global (dmz) 2 interface

what the above would do is NAT any source internet addresses to the DMZ interface IP address. So the webserver in the DMZ sees the source as the DMZ interface and just sends it back there.

I'm not entirely sure this is what you want though. If not could you be more specfic in what you want ?

Jon

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to Jon Marshall

‎02-16-2010 08:48 AM

Yes, 10.21.5.5 would be an address in the DMZ.  That's perfect.  I applied your suggested config (only one exception, I already had a global (dmz) 1 int command there so I had to use global (dmz) 2 10.21.5.5 netmask 255.255.255.255 ) and I have the web servers from both segments routing correctly now.

thank you!

0 Helpful

Go to solution
francisco_1
Level 7
Level 7

‎02-16-2010 08:56 AM

Bill,

Is the LB the gateway for the servers?

If not i worked with a similar design were the LB is not the gateway for the servers, instead servers using a switch (HSRP) as their gateway and the switch connected via another vlan to the upstream LB. The load balancer we used was Cisco ACE acting as one arm mode with single vlan interface with a default route to the upstream firewall and another route towards servers soundbound.

With servers having multiple interfaces and more than one exit interface, we used SNAT (Souce NAT)  on the ACE to direct return traffic always back through the ACE LB.

Hope that helps

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card