cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
605
Views
0
Helpful
6
Replies

Nat for outside Traffic

nicky0690
Level 1
Level 1

Scenario:-

                              ISP-A                ISP-B

                                 |                      |

                             RTR-A              RTR-B

                                |                       |

                              PIX                 ASA

                                \                      /

                                  \                  /

                                    \              /

                                     SWITCH

RTR-A is acting as gateway to ISP-A while RTR-B is acting as gateway to ISP-B.

PIX is doing a nat with ISP-A global address while ASA is natting with ISP-B alloted global address

Switch is configured with 2 default routes one is pointed to PIX while other to ASA.

Problem:-

When the traffic is initiated from outside to inside servers then it reaches successfully to servers but the return tarffic from servers will load balance on switch. Firewalls drop the traffic due to TCP check.

Possible Solution:-

Planning to implement natting for outside traffic to be translated to specific pool so, that specific routes can be added on switch.

Please do let me know if this solution will work and if static (outside,inside) will work in this scenario. If possible kindly share an configuration example.

Cheers,

Nikhil

1 Accepted Solution

Accepted Solutions

varrao
Level 10
Level 10

Hi Nikhil,

What is the ASA software version that you are running on teh ASA, on the pix you can try this:

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

static (inside,outside)

on the ASA if the ASA code is pre 8.3, then the configuration woudl be teh same, for post 8.3 it would be different.

This woudl ensure the switch routes teh packets to the correct destination back.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

6 Replies 6

varrao
Level 10
Level 10

Hi Nikhil,

What is the ASA software version that you are running on teh ASA, on the pix you can try this:

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 interface

static (inside,outside)

on the ASA if the ASA code is pre 8.3, then the configuration woudl be teh same, for post 8.3 it would be different.

This woudl ensure the switch routes teh packets to the correct destination back.

Thanks,

Varun

Thanks,
Varun Rao

Hi Varun,

Thanks for the immediate response. I do have a query:-

1) Won't the above configuration translate all the outside traffic to a particular single IP or pool?

2) How to translate traffic sent from outside to Specific Server or Pool?

   For example:-

   Server Pool:- (PVT:192.168.16.0/24 GLOBAL:172.16.15.0/24)

   Oustide Traffic to be translated to:- 192.168.20.0/24

3) Can we use PAT in such scenario?

PS: PIX is runnning with 7.2 while ASA is having 8.2.

Cheers,

Nikhil

Hi Nikhil,

You can Translate the ip's coming from outside into a single ip, by doing pat or into a range of ip's by doing dynamic nat, but i would recomment pat, because that give you an option of lot many simaltaneous connections to your server.

Thanks,

Varun

Thanks,
Varun Rao

Hi,

What about the return traffic to outside from the server pool? How the translation would happen?

If possible kindly share an configuration example.

Cheers,

Nikhil

Lets say your server address is 192.168.16.5 and its natted to the ip 172.16.15.5

Then,

nat (outside) 1 0.0.0.0 0.0.0.0 outside

global (inside) 1 192.168.16.100

static (inside,outside) 172.16.15.5 192.168.16.5

Now if someone from outside accesses the server from outside, there source ip's would be translated to 192.168.16.100, the server would see the request coming from this ip and send the response back. The switch through a route to PIX inside interafce would identify that this traffic should be sent to PIX inside interface and send it back to same route.

Once the packets reaches the PIX, they woudl be untranslated and sent back to the source machine on the internet.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Hi,

But this configuration will translate all the outside traffic to 192.168.16.100 even traffic destined to lan users as well.

How can one achieve without translating the outside traffic for LAN users?

Will the below configuration work?

==========================================================

nat (outside) 1 access-list OUTSIDE-TO-SERVER outside

global (inside) 1 192.168.16.100

static (inside,outside) 172.16.15.5 192.168.16.5

access-list OUTSIDE-TO-SERVER extended permit ip any host 192.168.16.5

=========================================================

Thanks,

Nikhil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: