Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failover on ASA Firewall

Read the bio with

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn expert tips on how to configure and troubleshoot Network Address Translation (NAT) and Failover on Cisco ASA Firewalls with Cisco Expert Amitashwa Agarwal. Amitashwa is a senior customer support engineer  and technical lead at the Cisco Technical Assistance Center in Bangalore, India. He works with the Security Firewall team, where his areas of expertise include configuring and troubleshooting issues related to firewall, VPN, and AAA technology. He holds a bachelor's degree in computer science from the University of Pune, India, and holds CCSP and CCIE certifications in Security (#22164).

Remember to use the rating system to let Amitashwa know if you have received an adequate response.

Amitashwa might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

Everyone's tags (3)
49 REPLIES
New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amitashwa,

We have two ASA's 5540.  We are setting up Load Balancing (Active/Active). Load Balancing works great with Cisco VPN client.  However, is it possible to setup Load Balancing for Site-to-Site VPN?

Thank you.

Diane

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi Diane,

Based on the description that you have provided it is more of a question related to VPN load balancing rather than Active/Active failover on ASA. However, to answer your query VPN load-balancing/clustering is only supported for remote access WebVPN and IPSec on ASA. It is unfortunately not supported for Site-to-Site VPN on ASA.

Let me know in case of further questions or concerns.

Regards,

Amitashwa

New Member

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Greeting,

We have two ISP connected to an ASA 5510 and we have configured one as the primary and the other one as a backup. I'd like to know if there is a way that, with the ASA, we can do load balancing across both ISPs.

Thanks in advanced,

Luis

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hi Luis,

Load-balancing using dual-ISPs is not possible on ASA platforms. However, you can still failover to another ISP in the event your primary ISP fails using the SLA monitoring feature on the ASA.

Here's a link which explains ISP fallback on ASA :

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Also, please refer to the link given below to understand the other options that you have in case of dual ISP's on ASA:

https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have

Hope it helps. Let me know in case of any questions or concerns.

Regards,

Amitashwa

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hello Amitashwa,

I have the following two questions:

(1) I have an ASA firewall running code 7.2 (3), Active/Standby Setup. Now, with this FW I have multiple Zones but my concerns only on this question about Three Zones.

     From inside to Outside, I have an IPsec Tunnel with a client , my internal Network is (172.19.25.0/24 - 172.20.168.0/22), the Client Network is (172.17.5.0/24 & 172.17.6.0/24). Now The Tunnel is Active and both Networks are reachable in both direction.

     From the Inside to (ASD_VPN) , another Zone, I have normal PAT, Some of My Internal Networks are able to reach Network 10.254.0.0/16 using PAT, thats is also OK.

     my problem is that, My client on the outside Zone network (172.17.5.0/24) needs to reach Network 10.254.0.0/16 which is located on the ASD_VPN Zone, I am not able to successfully made this reachability up. I have permited and added (10.254.0.0/16) in the Interesting Traffic and Nat (0), and have allowed and added the required permit statement in the outside Access-list , yet without positive results.

what I exactyly need is to permit Network 172.17.5.0/24 to be Natted after its decrybted by the IPsec, and vice vers for the returned path, I need to encrypt 10.254.0.0/16 when going back to the clinet Network 172.17.5.0/24.

Is this kind of Scenario Possible?

Please refer to my Simple Connectivity diagram and Partial config I have attached.

(2) I need to have SSL VPN client installed on this ASA, what I understood, is that my current ASA version doesnt support SSL VPN client, what is the exact code to implement this feature? what are the licensing categories for this feature? and please provide me with reference documnet to set it up (other Than using ASDM).

Appreciate your Answer,

Regards,

Mohamed

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi Mohamed,

Please find the answers to your questions below:

1]

From the description that you have provided I  understand that you want users on remote subnet 172.17.5.0/24 to be able  to access subnet 10.254.0.0/16 across a L2L tunnel terminating on the  outside interface of your ASA. Also, you want the remote subnet users to  get PATTED to the ASD_VPN interface ip before they can access the  10.254.0.0/16 subnet.

You can achieve the objective stated above by doing the following configuration on the ASA:

access-list 101 permit ip 10.254.0.0 255.255.0.0 172.17.5.0 255.255.255.0

nat (ASD_VPN) 0 access-list 101

nat (outside) 2 172.17.5.0 255.255.255.0 outside

global (ASD_VPN) 2 interface

However, you need to make sure that the traffic  destined for 172.16.5.0/24 subnet from 10.254.0.0/16 is part of the  crypto ACL to the remote peer on the ASA and the reverse of it is  configured at the remote end.

Also, this traffic flow will only work when traffic  would be initiated from the remote subnet i.e 172.16.5.0/24 as it is  getting PATTED on the ASA.If you would like this traffic flow to work  bidirectionally then get rid of the "nat (outside)" statement from the  configuration which will in turn not PAT the traffic coming in from  172.17.5.0/24 to the ASD_VPN interface ip before going to 10.254.0.0  subnet.

2] This question is outside the scope of this  discussion however I will still answer your basic query on it. I would  appreciate if you could raise further questions on it in the VPN forum  on CSC.

ASA 7.2.3 does support SSL VPN client in full mode  however it does not support AnyConnect VPN. AnyConnect is supported from  8.x. Please refer to the link given below to check the SSL VPN client  configuration on ASA on 7.x:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/svc.html

By default, Cisco provides a two-user complimentary  SSL VPN license on all supported ASA devices. However, you will have to  purchase a license if you want more SSL users to be supported on the  ASA.

Hope this helps.

Regards,

Amitashwa

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amitashwa,

1) I have actually tried what you have suggested before,  but with no positive result.

I am not allowing for bidirectional communication through PAT, the Traffic should always be intiated from my ASA, however,  using a packet tracer shows the packet flow but the packet is being dropped due to (IPsec Spoof detected).

Still my question remains, My IPsec Tunnel is Over the Internet , so the client 172.17.5.0 traffic is encrypted when it reaches my Internal Network, while I am Patting my Internal & Outside Network 172.17.5.0/24 to the client 10.254.0.0/16.

As I said, The packet tracer shows no deny for any rule, but the traffic still being dropped and the reason is (IPsec spoof detected). 

Do you have any suggestion for this result?

2) for the Second question, Thanks for your input.

Regards,

Mohamed

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hi Mohamed,

I understand that you have the following setup with a L2L tunnel between the ASA and the remote peer:

         inside       outside

       ---------ASA -------------------Internet ---------------------------Remote Peer ----------------172.17.5.0/24

                  | ASD_VPN

                  |

               10.254.0.0/16

And here is what you want to achieve:

"what  I exactyly need is to permit Network 172.17.5.0/24 to be Natted after  its decrybted by the IPsec, and vice versa for the returned path, I need  to encrypt 10.254.0.0/16 when going back to the clinet Network  172.17.5.0/24."

I would appreciate if you could provide me the following information to help you further :

1] When you say that you want to permit Network 172.17.5.0/24 to be Natted after  its decrybted by the IPsec, what exactly do you mean? Do you mean to say that you want the decrypted traffic (from 172.17.5.0/24 subnet to 10.254.0.0/16) to get PATTED to the ASD_VPN interface before it actually gets to the 10.254.0.0/16 subnet?

2] When you say "....and vice versa for the returned path, I need  to encrypt 10.254.0.0/16 when going back to the clinet Network  172.17.5.0/24" I understand that you only want this traffic to go through the tunnel to the remote side. Correct me if I have misunderstood anything here.

3] Output of the packet tracer command from the ASA.

4] Output of "show cry isa sa" and "show crypto ipsec sa peer

Thanks,

Amitashwa

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hi Amitashwa,

I am attacing here the output of what you have requested including the packet tracer output from both OUTSIDE and ASD_VPN interfaces.

with regard to your questions,

1) Your understanding is correct.

2) your understanding is correct.

Just one Note, The traffic flow should always be inititated from the client 172.17.5.0/24 to Network 10.254.0.0/16. Howev er, its still not getting positive results.

Regards,

Mohamed

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi Mohamed,

Packet tracer is not the  right way to test this traffic flow as the packet getting generated  using it would be clear text from outside to ASD_VPN and this might  result in IPSEC SPOOF detected message. Therefore I would like you to  actually do a ping from 172.17.5.0/24 to 10.254.0.0/16 to test the  connectivity. Also, if my understanding of the problem is correct then  the commands that I suggested earlier are the only one's that we need to  achieve the desired result.

Please let me know if you have the following command configured on the ASA:

nat (outside) 2 172.17.5.0 255.255.255.0 outside -- outside keyword at the end is important here

Regards,

Amitashwa

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amitashwa,

As soon as I type the command you are proposing: nat (outside) 2 172.17.5.0 255.255.255.0 outside, I lose connection to the peer.

I mean the Ipsec tunnel is still Active, however, No traffic (Pings for example) for any of the interesting traffic to Network 172.17.5.0/24 works AT ALL. So the traffic gets dropped.

When I remove it, all traffic get back to normal.

Any Clue,

Regards,

Mohamed

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Mohamed,

Do you see any syslog related to translation failed after applying the proposed NAT command? Try using this NAT command instead and let me know how it goes:

access-list 101 permit ip 172.17.5.0 255.255.255.0 10.254.0.0 255.255.0.0

nat (outside) 2 access-li 101 outside

Regards,

Amit

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amit,

With the ACL associated with NAT, it worked like a charm!!!  I just have one question for you:

1- While using nat (outside) 2 172.17.5.0 255.255.255.0 , I did it before without adding  the "outside" keyword in the end and thought it should bring up the connection while it didnt.  So the question, what is the (outside) keyword actually does here in the end of this nat statement.

For the ACL NAT, I relized because doing it with the Network command would nat all traffic sourced from Network 172.17.5.0/24 coming from outside regardless of its destination which in the end result in the IPsec spoof and the firewall dropps the packet.

Thanks for your time to answer my question,

BTW, I have given you full rate as deserved.

Regards,

Mohamed

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Mohamed,

It is good to know that everything has started working for you now.

"nat" command upto 8.2 is only used to translate the source and is always applied on the higher security level interface of the firewall however when we want to translate the source of the traffic going from low to high security level that is when we need to apply the nat command with the "outside" keyword to the low security level interface along with a corresponding "global" command on the high security level interface. Since, in your case the requirement was to translate the source of the decrypted traffic going from low to high security level we needed this keyword along with the nat command.

Also, when we were not using the ACL with the "nat outside" command it was looking to translate any traffic sourced from 172.17.5.0 to anywhere on the inside and since we did not have a matching "global (inside) 2 " command applied on the inside interface, this traffic was getting dropped on the firewall. 

Regards,

Amit

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi  Amit,

I need to clarify few points in FWSM failover in multi-context mode same as done in context based failover in Cisco ASA.

We have 2 FWSMs in 2 different chasiss at Site A and Site B. FWSM mod in site A is in Activve mode and another mod in site B is in Standby mode.

I want to setup 2 security contexts X and Y in active FWSM which would get replicated to standby FWSM.

Both contexts have separate inside and outside virtual interfaces and do not share any of their interface with each other.

We are use static routing as dynamic routing is not yet supported in multi-context mode. is that right?

Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?

Kashi

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi Kashi,

Please find the answers to your questions inline:

I want to setup 2 security contexts X and Y in active FWSM which would get replicated to standby FWSM.

In order to create security contexts on the active FWSM you will have to convert it to multiple mode. When  you change from single to multiple it takes the running configuration  from the single mode and adds it to the admin context. Also, these contexts will only get replicated over to the standby firewall if it will be in multiple mode as well.

You can refer to the link given below to configure the firewall in multiple context:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml

Both contexts have separate inside and outside virtual interfaces and do not share any of their interface with each other.

We are use static routing as dynamic routing is not yet supported in multi-context mode. is that right?

Yes, it is correct.

Here is the link that states the same:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/contxt_f.html#wp1116132

Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?

Yes, it is possible to share the external interface between 2 contexts in routed mode.

Here is an example for your reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314

Let me know in case of further questions or concerns.

Regards,

Amitashwa

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amit,

Thanks for the response.

Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?

you said, yes...it's possible.

1. What happens if the shared interface switchport is down? Will whole fwsm failover occurs?

2. Say, each of the 2 context is meant for 2 customers A and B who need to have separate links. In this case, shared interface is recommended or separate internal and external interface for each context?

3. Both the links of each customer would be terminated on 2 separate switchports. Say, if any one link is down, is it possible to only failover that single context ot again the whole module failovers?

4. With dynamic routing not possible in multi context mode, is it possible to make FWSM failover automatic? or is it manual in any fwsm failover design type?

Kashi

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hi Kashi,

Please find the answers to your questions inline:

1.Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How? you said, yes...it's possible. What happens if the shared interface switchport is down? Will whole fwsm failover occurs?

Yes, in this case both the contexts will become Active on the standby firewall. However, this is only possible  if the 2 context's sharing the outside interface are configured in  Active/Standby failover. In this case, if the shared interface goes down  then both the contexts will fail over to the Standby unit.

FWSM cannot have a shared vlan interface in  active/active failover, if there are only 2 contexts on it. FWSM can  have a shared vlan interface in active/active failover only if the  shared vlan remains in the same failover group.

Here is a link that explains how Active/Active failover works:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1041964

2. Say, each of the 2 context is meant for 2 customers A and B who need to have separate links. In this case, shared interface is recommended or separate internal and external interface for each context?

In this case I would suggest using unique internal and external interfaces in each context.

3.   Both the links of each customer would be terminated on 2 separate   switchports. Say, if any one link is down, is it possible to only   failover that single context ot again the whole module failovers?

If it is Active/Standby failover in multiple context  then in case of any issues with any link belonging to any of the  contexts both the contexts will fail over to the Standby firewall.  However, in case of Active/Active failover if a link belonging to an  Active context on one firewall goes down then the Standby context on the  other firewall will become Active.

4.  With dynamic routing not possible in multi context mode, is  it possible  to make FWSM failover automatic? or is it manual in any  fwsm failover  design type?

Dynamic routing has nothing to do with failover.  Failover happens automatically in case of FWSM depending upon  unit/interface health monitoring.

Here is a link that talks about the same:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1042444

Regards,

Amit

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Than you Amit for the response.

For the 4th question - regarding automatic FWSM failover, i think, i did not put the question correctly, i will diagram it for u.

SiteA                                       SiteB

CoreSW1----CoreSW2------L2-----CoreSW3

      |                                             |

      |                                             |

ActFWSM1                             StndFWSM2

      |                                            |

      |                                            |

InetRTR1                                 InetRTR2         

      |                                            |

      | active link1                           | passive link2

      |------------Internetcloud--------------|

We have 2 fwsm mods in 2 separate chassis in SiteA and SiteB as shown above. Both modules are configured in Active/Standby mode, and both routers RTR1 and RTR2 connected to active and standby fwsm mods respectively. Routers are setup with HSRP for redundancy with static routing for local LAN and BGP with ISP for multihoming.

Default route in active fwsm is pointing to router HSRP Virtual IP..so incase..the active router, RTR1, fails standby router,RTR2, takes over. In this situation when the active router is down, FWSM is not failing over automatically. We have to manually failover the FWSM to SiteB and then traffic comes over from

link2 --->CoreSw3--->Link2--->CoreSw2---->CoreSw1---> To local LAN

I'm looking to automate fwsm failover and i want your opinion on my solution, if its correct else suggest one:

Remove static routing on the routers, use dynamic routing and ensure default route is injected into active fwsm by dynamic routing on the routers..so that..when the router is down...injected default route is removed and fwsm realize their upstream device/link is down and would failover.

Thanks - Kashi

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi Kashi,

The solution that you have in mind will not work because firewall will not look at its routing table to determine the status of the upstream device/link in order to fail over. If the interface connecting to the upstream device is a monitored interface on the firewall then hellos will be sent out on this interface from both the firewall's and in case if either firewall does not receive hellos on this interface then they will run the following tests (in order) to check the status of the interface:

Link Up/Down test - Is the link up or down

Network Activity test - Am I receiving any traffic on this interface

ARP test - Generate ARP request for most recently learnt ARP entries on that interface.

Broadcast Ping test - Generate a broadcast ping on that interface

If all network tests fail for an interface, but  this interface on the  other unit continues to successfully pass traffic,  then this interface will be considered as failed and if the threshold for  failed interfaces  is met, then a failover will occur.

In your case I would like to know if the interface/vlan connecting the FWSM to the router is being monitored or not. Also, is there a way for the hellos to be exchanged between the firewall's on the outside interface (as per the diagram I do not see any connection between the routers like a trunk port or something)?

Regards,

Amit

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Thanks for the response Amit.

As i mentioned each FWSM mod has 2 contexts, X and Y.

Each context has it's own inside and outiside interface and context Y has a DMZ interface as well.

As part of failover configuration, i have configured following commands to monitor all the interfaces within a context

monitor-interface inside

monitor-interface outside

monitor-interface dmz

Both the routers are interconnected using a Layer 2 link that connects both the sites, A and B. This link is where the hello packets are being share between both the modules and therefore the interface, i believe. Correct if i'm wrong.

Routers are setup with HSRP on their interfacing connecting the FWSM external interface and the other interface connecting the ISP is being tracked.

How can i rate your comments, i do not see any option.

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hi Kashi,

Your understanding about the hello packets exchange on the outside interface of the firewall's looks correct.

Also, you mentioned earlier that:

Default route in active fwsm is pointing to router HSRP Virtual  IP..so incase..the active router, RTR1, fails standby router,RTR2, takes  over. In this situation when the active router is down, FWSM is not  failing over automatically. We have to manually failover the FWSM to  SiteB and then traffic comes over from

link2 --->CoreSw3--->Link2--->CoreSw2---->CoreSw1---> To local LAN

So, help me understand the status of failover on the active fwsm when  RTR1 goes down. Does the outside interface changes state to Waiting or  Failed when RTR1 goes down? Also, what is the interface policy set to  for failover?

Regards,

Amit

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amit,

interface policy is set to 50% i.e if any one interface goes down...FWSM failover should triggger.

when the RTR1 goes down, say, we reboot it..FWSM context outside interface does not go down ..dont know why...and we are therefore forced to manually failover the FWSM.

When the RTR1 goes down, as it is setup for HSRP...RTR2 takes over the active role. But as FWSM does not failover traffic does not pass ..and we are forced to failover the FWSM ..in which case both standby FWSM and RTR2 become active and then only traffic passes into the local LAN from outside.

Few questions:

a. As each contexts has Virtual Interfaces, would they ever go down?

b. Monitor-interface command is to monitor the virtual interface in the contexts or the switchport to which the virtual interace is mapped to? Bcoz, even if i shut the switchport the virtual interface is nor foing down.

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Kashi,

As soon as RTR1 goes down RTR2 takes over (it takes the virtual ip and mac from RTR1) as a result of which the FWSM does not see any change on its outside interface or does not drop any packets on that interface and thus does not fail over. In order to test failover in this case shut down the actual port on the switch that connects it to RTR1 and then check the status of "show failover" in the context. Also, you can apply captures in this context from active ip to standby ip and vice versa to check the hello packets on this interface.

Here is a doc that explains how to take captures off the FWSM:

https://supportforums.cisco.com/docs/DOC-1222

Here are the answers to your questions:

a. As each contexts has Virtual Interfaces, would they ever go down?

FWSM does not have any physical ports of its own. It only has logical interfaces in the form of vlans that are pushed to it from the switch. In case of failover on FWSM an interface would only show up as failed if it stops receibing hellos on that interface and then during interface testing if all network tests fail for it, but this interface on the other unit continues to successfully pass traffic. Unless a vlan that is getting pushed to the FWSM goes down on the switch it will not show up as down on the FWSM.

b.  Monitor-interface command is to monitor the virtual interface in the  contexts or the switchport to which the virtual interace is mapped to?  Bcoz, even if i shut the switchport the virtual interface is nor foing  down.

This command is used to monitor the interface assigned to the context in failover. Here is more information about this command:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/m.html#wp1765154

Regards,

Amit

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Amit,

Now that you know about our topology,

Can you please let me know the solution on how i can make the FWSM failover automatic.

Kashi

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

I have a website hosted on an internal web server (say 10.0.0.1) and would like to access it from inside using its external ip address (say 1.1.1.1) in the same way as I do it from the Internet. Also, I am doing port forwarding for traffic going to this web server so basically traffic comes on 443 for the outside ip (1.1.1.1) of the firewall and gets redirected to the internal ip (10.0.0.1) on 8443. So, basically the internal server is listening on 8443 for web traffic. Please let me know how can I get the website to work for a user who is on the inside of an ASA running 8.3.2 code on it.

Cisco Employee

Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa

Hi Ratnesh,

Based on the description that you have provided I am assuming that when you do “nslookup” for the website from a machine on the inside network it gets resolved to its external ip address i.e 1.1.1.1.

Here are the commands that you need to configure on the ASA to achieve the desired objective:

1]

object network Server-Internal

host 10.0.0.1

nat (inside,inside) static 1.1.1.1 service tcp 8443 443

This command will redirect traffic destined for 1.1.1.1 on port 443 on the inside interface of the ASA to 10.0.0.1 on port 8443 back out the same interface.

2] same-security-traffic permit intra-interface

This command will allow the ASA to U-turn the traffic coming on its inside interface back out the same interface again.

3]

object network obj-10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (inside,inside) dynamic interface

This command will ensure that the source of the traffic gets PATTED to the inside ip address of the ASA so that the web server is forced to send the SYN-ACK back to the ASA otherwise the server would send it directly to the inside host and in that case the ASA would drop the ACK from the client as it would not have seen a SYN-ACK from the server going through it. This step is required to maintain the stateful behavior of the firewall.

Hope this helps. Let me know in case of further questions or concerns.

Regards,

Amitashwa

New Member

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi All,

Apologies if this sounds like the wrong thing to say on a Cisco Support forum, many people have so far asked if the ASA can do this and that and mostly the answer seems to be no.

Do we all think cisco trying hard enough to raise the profile of these devices, I have heard through the channel that they are concerned about not being strong in the firewall/security arena yet they seem determined to do as much damage as possible themselves.

1. ISP load share - not available

2. Load Balanced Site to Site vpn

3. NAT from 8.3 onwards - complete mess

4. Passive FTP through firewalls from 8.3 on - doesn't work

Cisco really need to put the effort in now to raise their game. Checkpoint and Juniper must be laughing out loud

Cisco Employee

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failov

Hi Robins,

Here is my take on the points raised by you:

1. ISP load share - not available

We dont support ISP load balancing on the ASA because we cannot configure more than 1 default route on the ASA as it by design not supposed to work like a router. However, as I mentioned earlier we do support ISP fallback on ASA and there are workarounds to support ISP load balancing as well with ASA as specified in the links given below:

https://supportforums.cisco.com/docs/DOC-15622#comment-7229

https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have

2. Load Balanced Site to Site vpn

Again, by design L2L tunnels should terminate on the native outside ip address of the head-end ASA and not to the virtual ip or "vcpip" address of the ASA's in cluster. However, we do support this feature for remote access VPN as mentioned earlier.

3. NAT from 8.3 onwards - complete mess

NAT in 8.3 has been simplified and is pretty powerful. It gives us a lot more flexibility in configuring NAT as opposed to the previous versions of the ASA. However, this is a major migration step as the configuration style has been completely changed in it so we can see things breaking after the upgrade but then this is true of any major migration. Having said that I would like to mention that many of our customers have been able to successfully upgrade to 8.3 and are happy with it.

Here is a video that outlines the things that we need to know before upgrading to 8.3 on ASA:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/05/26/video-asa-83-upgrade--what-you-need-to-know

Also, here are a few links to configure nat on 8.3:

Configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html

ASA Pre-8.3 to 8.3 NAT configuration examples:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

4. Passive FTP through firewalls from 8.3 on - doesn't work

There is no known issue found in ASA 8.3 with passive FTP. There is a known issue with passive FTP however this only applies if the following conditions are met:

1) The ASA must be running version 8.4(1) or greater

2) The ASA must have multiple CPUs. ASA 5580 and 5585 platforms are affected by this problem. The ASA 5505, 5510, 5520, 5540 and 5550 platforms are NOT affected by this problem

3) The FTP connection must be subjected to port address translation (PAT) on the ASA. Connections subjected to static NAT, or connections that do not hit any NAT rule on the ASA will not encounter this problem.

Regards,

Amit

16847
Views
38
Helpful
49
Replies