Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
9
Replies

ASA 5510 NAT Issue

sidd
Level 1
Level 1

‎07-20-2010 06:05 AM - edited ‎03-11-2019 11:13 AM

Hi,

   We have replaced our PIX with ASA 5510 and are running, ASA Version 8.3(1) & asdm-631.bin.

    We have 1 ASA and 2 WAN's. So I have configured Failover, so that if primary WAN fails secondary will be active, which works fine. Only problem is NAT rules. So, if I have 2 set of NAT rules 1 for WAN1 & 1 for WAN2, only 1st NAT rule corresponding to the active WAN circuit in the NAT list works and none of other rules work.

   I have copied some nat config below (I have not got WAN2 nat rules in there. If I have them, then problem will reoccur)  and have also attached ASDM screeshot of NAT rules. Lastly, just so that you have better idea, what I want to achieve is Static NAT to work in case of WAN failover. Do I neeed Twice NAT and hopw to configure?

Regards,

Sidd.

!
interface Ethernet0/0
nameif LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif WAN1
security-level 0
ip address 83.244.238.162 255.255.255.240
!
interface Ethernet0/3
nameif WAN2
security-level 0
ip address 79.173.151.178 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2
nat (LAN,WAN1) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25
!
object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
!
nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN1
access-group LAN_access_in in interface LAN
access-group global_access global
route WAN1 0.0.0.0 0.0.0.0 83.244.238.161 1 track 1
route WAN2 0.0.0.0 0.0.0.0 79.173.151.177 254

NAT Rules.JPG

Labels:
0 Helpful
9 Replies 9

Panos Kampanakis
Cisco Employee
Cisco Employee

‎07-20-2010 06:15 AM

I see

nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet 
Access For LAN Using WAN2
nat (LAN,WAN1) source static 
NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static
 NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25
!
object
 network NTSERVER02-WAN1
 nat (any,any) static 83.244.238.164
object
 network NTSERVER04-WAN1
 nat (any,any) static 83.244.238.165
object
 network NTSERVER06-WAN1
 nat (any,any) static 83.244.238.163
!
nat
 (LAN,WAN1) after-auto source dynamic LAN-Subnet interface description 
Internet Access For LAN Using WAN1

Can you explain what statements work, what break?

And put in any nat statements that are not there or cause issues?

PK

0 Helpful

sidd
Level 1
Level 1
In response to Panos Kampanakis

‎07-21-2010 02:42 AM

Hi pkampana,

    1st of all you can ignore,

nat (LAN,WAN1) source static  NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static  NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25

    As it looks like a garbage entry, which relates to nothing. Also, WAN1 IP is 83.244.238.162, WAN2 IP is 79.173.151.178

    So, if I have following config, then only 1st NAT rule gets matched and nothing else works.

object network NTSERVER02-WAN1
host 192.168.1.3
object network NTSERVER04-WAN1
host 192.168.1.10
object network NTSERVER06-WAN1
host 192.168.1.46
object network NTSERVER02-WAN2
host 192.168.1.3
object network NTSERVER04-WAN2
host 192.168.1.10
object network NTSERVER06-WAN2
host 192.168.1.46


object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.180

object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.181

object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.179

nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN1
nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2

Thanks!

Sidd.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎07-21-2010 06:10 AM

OK.

So, "nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2" is the only one that is kicking in and nothing else works?

There is a defect where overlapping manual nat statements cause issues for subsequent nats.

"nat (LAN,WAN1) after-auto source dynamic LAN-Subnet interfaced"overlaps with "nat (LAN,WAN2) source dynamic LAN-Subnet interface description Internet Access For LAN Using WAN2" nad I think that is why you are seeing the issue.

I would suggest checking the logs for that failing packets and if you see something like "NAT reverse path check" to open a case with TAC to verify the bug and get an image with a fix. You can also use packet tracer to see what is going to happen to a flow that doesn't work.

I hope it helps.

PK

0 Helpful

sidd
Level 1
Level 1
In response to Panos Kampanakis

‎07-21-2010 07:12 AM

Hi pkampana,

   What happens is, when I have these rules (in the order in my previous post) and if I am on WAN1, then the 1st match in the list will work. ie.

object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164

   So only host NTSERVER02-WAN1 (which has IP 192.168.1.3) will be able to browse Internet and nothing else will be able to access Internet.

   If WAN1 fails and WAN2 is active then again  the 1st match in the list will work, ie.

object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.180

   will kick in and only NTSERVER02-WAN2  (which has IP 192.168.1.3) will be able to access Internet and nothing else will be able to access Internet.

  Hence I wonder if I need twice NAT, http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_rules.html

as I have 2 static nat rules for same host NTSERVER02 with other static nat rules for others. And also have 2 dynamic NAT rules for the same Internal subnet to access Internet on WAN1 & WAN2

   Lastly if I remove all NAT entries that relate to WAN2, all NAT entries for WAN1 work fine.

   I think it is a configuration problem.

Regards,

Sidd.

0 Helpful

sidd
Level 1
Level 1
In response to sidd

‎07-21-2010 09:41 AM

Hi pkampana,

   About the packet tracer. It dosen't report failure.

   Any suggestion will be helpful.

Regards,

Sidd.

0 Helpful

sidd
Level 1
Level 1
In response to sidd

‎07-22-2010 08:30 AM

Any suggestions anyone?

Regards,

Sidd.

0 Helpful

August Ritchie
Level 1
Level 1
In response to sidd

‎07-22-2010 09:30 AM

What happens if instead of using any you use the actual interfaces?

object network NTSERVER02-WAN1
nat (LAN,WAN1) static 83.244.238.164
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.180

object network NTSERVER04-WAN1
nat (LAN,WAN1) static 83.244.238.165
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.181

object network NTSERVER06-WAN1
nat (LAN,WAN1) static 83.244.238.163
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.179

0 Helpful

sidd
Level 1
Level 1
In response to August Ritchie

‎07-28-2010 02:52 AM

Hello,

   I have tried what you suggested, but same results. Not sure what to do next?

Regards,

Sidd.

0 Helpful

eastviewit
Level 1
Level 1
In response to sidd

‎08-17-2010 01:17 PM

Sidd,

Did you by any chance notice you have three NTSERVER02-WAN2 objects listed?

object network NTSERVER02-WAN1
nat (any,any) static 83.244.238.164
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.180

object network NTSERVER04-WAN1
nat (any,any) static 83.244.238.165
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.181

object network NTSERVER06-WAN1
nat (any,any) static 83.244.238.163
object network NTSERVER02-WAN2
nat (any,any) static 79.173.151.179

This might be all wrong, I'm just a general admin that struggled to make 8.3 NAT work right. No certs, no credentials.


object network NTSERVER02-WAN1
host 192.168.1.3
object network NTSERVER04-WAN1
host 192.168.1.10
object network NTSERVER06-WAN1
host 192.168.1.46
object network NTSERVER02-WAN2
host 192.168.1.3
object network NTSERVER04-WAN2
host 192.168.1.10
object network NTSERVER06-WAN2
host 192.168.1.46
!
object network NTSERVER02-WAN1
nat (LAN,WAN1) static 83.244.238.164
object network NTSERVER02-WAN2
nat (LAN,WAN2) static 79.173.151.180
object network NTSERVER04-WAN1
nat (LAN,WAN1) static 83.244.238.165
object network NTSERVER04-WAN2
nat (LAN,WAN2) static 79.173.151.181
object network NTSERVER06-WAN1
nat (LAN,WAN1) static 83.244.238.163
object network NTSERVER06-WAN2
nat (LAN,WAN2) static 79.173.151.179
!
nat(LAN,WAN1) after-auto source dynamic LAN interface
nat(LAN,WAN2) after-auto source dynamic LAN interface

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card