02-16-2010 07:17 AM - edited 03-11-2019 10:10 AM
I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface. We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route. The return traffic from the load balancer to hosts coming from the Internet needs a route back. What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet. It leads to an asymmetrical routing issue behind the firewall.
Internet -> ASA - DMZ - WebserversDMZ
| |
inside -- Load Balancer
|
WebserversINSIDE
Is there a way to create a policy nat that states something like
access-list policyNAT perm ip any host WebserversDMZ
nat (outside) 2 access-li policyNAT
global (outside) 2 10.21.5.5 netmask 255.255.255.224
so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route? Or does this only work for outbound traffic? I can't see how a static statement would work in this scenario for outside to inside translation.
thank you
Bill
Solved! Go to Solution.
02-16-2010 08:28 AM
wstegman wrote:
I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface. We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route. The return traffic from the load balancer to hosts coming from the Internet needs a route back. What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet. It leads to an asymmetrical routing issue behind the firewall.
Internet -> ASA - DMZ - WebserversDMZ
| |
inside -- Load Balancer
|
WebserversINSIDE
Is there a way to create a policy nat that states something like
access-list policyNAT perm ip any host WebserversDMZ
nat (outside) 2 access-li policyNAT
global (outside) 2 10.21.5.5 netmask 255.255.255.224so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route? Or does this only work for outbound traffic? I can't see how a static statement would work in this scenario for outside to inside translation.
thank you
Bill
Bill
You can do inbound policy NAT from the outside although from your example it's not entirely clear what you are trying to do. Is 10.21.5.5 meant to be an address on the DMZ ?
Here is an example of inbound policy NAT
access-list PNAT permit ip any host Webserver_dmz
nat (outside) 2 access-list PNAT outside <-- note the additional "outside" keyword at the end, this is important
global (dmz) 2 interface
what the above would do is NAT any source internet addresses to the DMZ interface IP address. So the webserver in the DMZ sees the source as the DMZ interface and just sends it back there.
I'm not entirely sure this is what you want though. If not could you be more specfic in what you want ?
Jon
02-16-2010 08:28 AM
wstegman wrote:
I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface. We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route. The return traffic from the load balancer to hosts coming from the Internet needs a route back. What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet. It leads to an asymmetrical routing issue behind the firewall.
Internet -> ASA - DMZ - WebserversDMZ
| |
inside -- Load Balancer
|
WebserversINSIDE
Is there a way to create a policy nat that states something like
access-list policyNAT perm ip any host WebserversDMZ
nat (outside) 2 access-li policyNAT
global (outside) 2 10.21.5.5 netmask 255.255.255.224so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route? Or does this only work for outbound traffic? I can't see how a static statement would work in this scenario for outside to inside translation.
thank you
Bill
Bill
You can do inbound policy NAT from the outside although from your example it's not entirely clear what you are trying to do. Is 10.21.5.5 meant to be an address on the DMZ ?
Here is an example of inbound policy NAT
access-list PNAT permit ip any host Webserver_dmz
nat (outside) 2 access-list PNAT outside <-- note the additional "outside" keyword at the end, this is important
global (dmz) 2 interface
what the above would do is NAT any source internet addresses to the DMZ interface IP address. So the webserver in the DMZ sees the source as the DMZ interface and just sends it back there.
I'm not entirely sure this is what you want though. If not could you be more specfic in what you want ?
Jon
02-16-2010 08:48 AM
Yes, 10.21.5.5 would be an address in the DMZ. That's perfect. I applied your suggested config (only one exception, I already had a global (dmz) 1 int command there so I had to use global (dmz) 2 10.21.5.5 netmask 255.255.255.255 ) and I have the web servers from both segments routing correctly now.
thank you!
02-16-2010 08:56 AM
Bill,
Is the LB the gateway for the servers?
If not i worked with a similar design were the LB is not the gateway for the servers, instead servers using a switch (HSRP) as their gateway and the switch connected via another vlan to the upstream LB. The load balancer we used was Cisco ACE acting as one arm mode with single vlan interface with a default route to the upstream firewall and another route towards servers soundbound.
With servers having multiple interfaces and more than one exit interface, we used SNAT (Souce NAT) on the ACE to direct return traffic always back through the ACE LB.
Hope that helps
http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide