Multiple Outside NAT ranges?

Answered Question
Jul 13th, 2006
User Badges:

Hi -


Hopefully someone can advise me if this scenario is possible.


Here is my situation. I just installed a second WAN link and an additional border router to dual-home ISPs using BGP. For ease of management we are just going to use one of the 2 /24 networks we currently control, however the one we are going to eventually use, is the new block obtained from the second ISP, which of course means going through an ip address change.


I am trying to avoid a plan where I have to change all the public IP addresses on one weekend, due to the amount of different VPN and other IP specific connections other organizations have with us, so I was trying to plan a gradual changeover.


I have only one 515 (6.3) for outbound traffic, and adding another one is not possible for about 6 months (lease return is scheduled for that time in which we will move to the ASA). Eventually the outside addresses of the firewall will be a single /24 network, but in the meantime I would like to use both ranges (using NAT) on the firewall.


Currently by design, the GW for the firewall is gig port on the original router. That router is using static routes for egress and ingress traffic to our ASN, but the newly installed router is using BGP. Beofre I turn up BGP on the original router, I have a gig link between the two and I want to implement policy-based routing to set all traffic sourced from the new /24 range with a next-hop to the new router running BGP.


I tried this yesterday, and I had no connectivity to even ping the border router using this new set of IPs. Is it possible to set up these two ranges of IPs for NAT on the firewall, and have both ranges to the same gateway IP address.


I know this is probably confusing, so if you need clarification in any area, just let me know.


Thanks for all your help.



Correct Answer by grant.maynard about 11 years 1 month ago

I can't see why this wouldn't work as long as you've got config control of next hop router outside PIX. Set up first subnet as normal, then route your second subnet to IP of PIX. Set up NATs on PIX as desired. On gateway router you'd need to set up policy routing (route map) so it uses an ACL to look at the source IP arriving from the PIX, routes one public range to one ISP, second range to other ISP.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
grant.maynard Thu, 07/13/2006 - 07:38
User Badges:
  • Silver, 250 points or more

I can't see why this wouldn't work as long as you've got config control of next hop router outside PIX. Set up first subnet as normal, then route your second subnet to IP of PIX. Set up NATs on PIX as desired. On gateway router you'd need to set up policy routing (route map) so it uses an ACL to look at the source IP arriving from the PIX, routes one public range to one ISP, second range to other ISP.

ryan.bachman Thu, 07/13/2006 - 07:55
User Badges:

Please excuse my stupidity, it was a late night last night, especially working with AT&T. The ACL on the firewall defining the second NAT range was off, and I overlooked it a couple dozen times. I thought it was supposed to work. The issue is now resolved. Thanks for your time in helping me! I am off to get some coffee now.

Actions

This Discussion