ASA 5510 NAT Issue

Unanswered Question

Hi,


   We have replaced our PIX with ASA 5510 and are running, ASA Version 8.3(1) & asdm-631.bin.


    We have 1 ASA and 2 WAN's. So I have configured Failover, so that if primary WAN fails secondary will be active, which works fine. Only problem is NAT rules. So, if I have 2 set of NAT rules 1 for WAN1 & 1 for WAN2, only 1st NAT rule corresponding to the active WAN circuit in the NAT list works and none of other rules work.


   I have copied some nat config below (I have not got WAN2 nat rules in there. If I have them, then problem will reoccur)  and have also attached ASDM screeshot of NAT rules. Lastly, just so that you have better idea, what I want to achieve is Static NAT to work in case of WAN failover. Do I neeed Twice NAT and hopw to configure?


Regards,

Sidd.


!
interface Ethernet0/0
nameif LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif WAN1
security-level 0
ip address 83.244.238.162 255.255.255.240
!
interface Ethernet0/3
nameif WAN2
security-level 0
ip address 79.173.151.178 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2
nat (LAN,WAN1) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25
!
object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
!
nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN1
access-group LAN_access_in in interface LAN
access-group global_access global
route WAN1 0.0.0.0 0.0.0.0 83.244.238.161 1 track 1
route WAN2 0.0.0.0 0.0.0.0 79.173.151.177 254


NAT Rules.JPG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Tue, 07/20/2010 - 06:15
User Badges:
  • Cisco Employee,

I see


nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet 
Access For LAN Using WAN2
nat (LAN,WAN1) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25
!
object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
!
nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN1


Can you explain what statements work, what break?

And put in any nat statements that are not there or cause issues?


PK

Hi pkampana,



    1st of all you can ignore,

nat (LAN,WAN1) source static  NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static  NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25


    As it looks like a garbage entry, which relates to nothing. Also, WAN1 IP is 83.244.238.162, WAN2 IP is 79.173.151.178


    So, if I have following config, then only 1st NAT rule gets matched and nothing else works.


object network NTSERVER02-WAN1
host 192.168.1.3
object network NTSERVER04-WAN1
host 192.168.1.10
object network NTSERVER06-WAN1
host 192.168.1.46
object network NTSERVER02-WAN2
host 192.168.1.3
object network NTSERVER04-WAN2
host 192.168.1.10
object network NTSERVER06-WAN2
host 192.168.1.46



object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.180


object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.181


object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.179


nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN1
nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2


Thanks!

Sidd.

Panos Kampanakis Wed, 07/21/2010 - 06:10
User Badges:
  • Cisco Employee,

OK.


So, "nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2" is the only one that is kicking in and nothing else works?


There is a defect where overlapping manual nat statements cause issues for subsequent nats.


"nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interfaced"overlaps with "nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2" nad I think that is why you are seeing the issue.


I would suggest checking the logs for that failing packets and if you see something like "NAT reverse path check" to open a case with TAC to verify the bug and get an image with a fix. You can also use packet tracer to see what is going to happen to a flow that doesn't work.


I hope it helps.


PK

Hi pkampana,


   What happens is, when I have these rules (in the order in my previous post) and if I am on WAN1, then the 1st match in the list will work. ie.

object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164


   So only host NTSERVER02-WAN1 (which has IP 192.168.1.3) will be able to browse Internet and nothing else will be able to access Internet.


   If WAN1 fails and WAN2 is active then again  the 1st match in the list will work, ie.

object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.180


   will kick in and only NTSERVER02-WAN2  (which has IP 192.168.1.3) will be able to access Internet and nothing else will be able to access Internet.


  Hence I wonder if I need twice NAT, http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_rules.html

as I have 2 static nat rules for same host NTSERVER02 with other static nat rules for others. And also have 2 dynamic NAT rules for the same Internal subnet to access Internet on WAN1 & WAN2


   Lastly if I remove all NAT entries that relate to WAN2, all NAT entries for WAN1 work fine.


   I think it is a configuration problem.


Regards,

Sidd.

August Ritchie Thu, 07/22/2010 - 09:30
User Badges:
  • Bronze, 100 points or more

What happens if instead of using any you use the actual interfaces?




object network NTSERVER02-WAN1
nat (LAN,WAN1) static 83.244.238.164
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.180


object network NTSERVER04-WAN1
nat (LAN,WAN1) static 83.244.238.165
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.181


object network NTSERVER06-WAN1
nat (LAN,WAN1) static 83.244.238.163
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.179

eastviewit Tue, 08/17/2010 - 13:17
User Badges:

Sidd,


Did you by any chance notice you have three NTSERVER02-WAN2 objects listed?


object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.180


object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.181


object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.179



This might be all wrong, I'm just a general admin that struggled to make 8.3 NAT work right. No certs, no credentials.



object network NTSERVER02-WAN1
host 192.168.1.3
object network NTSERVER04-WAN1
host 192.168.1.10
object network NTSERVER06-WAN1
host 192.168.1.46
object network NTSERVER02-WAN2
host 192.168.1.3
object network NTSERVER04-WAN2
host 192.168.1.10
object network NTSERVER06-WAN2
host 192.168.1.46
!
object network NTSERVER02-WAN1
nat (LAN,WAN1) static 83.244.238.164
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.180
object network NTSERVER04-WAN1
nat (LAN,WAN1) static 83.244.238.165
object network NTSERVER04-WAN2
nat (LAN,WAN2) static 79.173.151.181
object network NTSERVER06-WAN1
nat (LAN,WAN1) static 83.244.238.163
object network NTSERVER06-WAN2
nat (LAN,WAN2) static 79.173.151.179
!
nat(LAN,WAN1) after-auto source dynamic LAN interface
nat(LAN,WAN2) after-auto source dynamic LAN interface

Actions

This Discussion