Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT on backup Internet - Asymmetric?

Hi guys,

I am currently working on converting watchguards to ASA's. The current Watchguard is setup with two Internet connections. One is the primary, the other is the secondary.

All outgoing connections go out the primary (listed as #1 on the WAN failover section). However, all the NATs/PATs come in on the secondary. This is currently working. According to watchguard: "Reply packets will always go out the interface on which the initial packet came in."

 

Can this be done on an ASA? I believe if this was setup on an ASA, the return traffic will always go back to the routing table, and route out the default route (which is the primary). this will work if "ip verify reverse-path interface" is disabled. But the traffic will be Asymmetric.

 

Is it possible so that "Reply packets will always go out the interface on which the initial packet came in?" so that the traffic is not Asymmetric?

 

Thanks in advance!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, If you have an ASA with 2

Hi,

 

If you have an ASA with 2 WAN links then for OUTBOUND connection initiation only follows the active default route.

 

However, if you have Static NAT configured for hosts and INBOUND connections come from the external network towards this Static NAT IP address then the return traffic from the actual host OUTBOUND will be forwarded using the existing XLATE on the ASA.

 

This can be confirmed from the ASA Configuration Guide also (Quote below)

 

For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.

 

The source for the above quote can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/route-overview.html#pgfId-1146023

 

Though it still confuses me a bit. The above quoted section talks first about "Incoming return packets" for the Dynamic translations that will follow the translation and after they mention Static translations they only mention "incoming packets" so that would lead me to believe they were only referring to the initial incoming packet and that it would be forwarded according to the matching XLATE for the destination IP address of that packet. Though to my understanding what you are asking should work. (You can find multiple posts about it online)

 

If you want to use both WAN links for outbound connections then I guess the most typical ways of doing that is configuring the other WAN link as an failover WAN link though this does not help when you want to utilize them at the same time.

 

In those situations you usually hit a wall with the ASA unless you can specify with static routes the destination networks which you want the ASA to use the other WAN link. Depending on what external resources are used this might or might not be possible.

 

There is (or atleast has been) an option to use NAT configurations (8.3+ software levels) to forward traffic to different interfaces depending on their source address. So kind of like PBR. Initially this worked fine with the later 8.4(x) releases (I tended to use 8.4(5)) but later on people started reporting that the ASA would not follow this logic anymore even though its exactly as Cisco describes it should happen. (Unless there is somekind of missunderstanding somewhere)

 

But to my understanding if your requirement is that both WAN links can be used at the same time for INBOUND connections for Static NATed hosts then that should work.

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer if it answered your question. Feel free to ask more if needed.

 

- Jouni

8 REPLIES
Super Bronze

Hi, If you have an ASA with 2

Hi,

 

If you have an ASA with 2 WAN links then for OUTBOUND connection initiation only follows the active default route.

 

However, if you have Static NAT configured for hosts and INBOUND connections come from the external network towards this Static NAT IP address then the return traffic from the actual host OUTBOUND will be forwarded using the existing XLATE on the ASA.

 

This can be confirmed from the ASA Configuration Guide also (Quote below)

 

For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.

 

The source for the above quote can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/route-overview.html#pgfId-1146023

 

Though it still confuses me a bit. The above quoted section talks first about "Incoming return packets" for the Dynamic translations that will follow the translation and after they mention Static translations they only mention "incoming packets" so that would lead me to believe they were only referring to the initial incoming packet and that it would be forwarded according to the matching XLATE for the destination IP address of that packet. Though to my understanding what you are asking should work. (You can find multiple posts about it online)

 

If you want to use both WAN links for outbound connections then I guess the most typical ways of doing that is configuring the other WAN link as an failover WAN link though this does not help when you want to utilize them at the same time.

 

In those situations you usually hit a wall with the ASA unless you can specify with static routes the destination networks which you want the ASA to use the other WAN link. Depending on what external resources are used this might or might not be possible.

 

There is (or atleast has been) an option to use NAT configurations (8.3+ software levels) to forward traffic to different interfaces depending on their source address. So kind of like PBR. Initially this worked fine with the later 8.4(x) releases (I tended to use 8.4(5)) but later on people started reporting that the ASA would not follow this logic anymore even though its exactly as Cisco describes it should happen. (Unless there is somekind of missunderstanding somewhere)

 

But to my understanding if your requirement is that both WAN links can be used at the same time for INBOUND connections for Static NATed hosts then that should work.

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer if it answered your question. Feel free to ask more if needed.

 

- Jouni

New Member

Thanks Jouni. I'm assuming

Thanks Jouni. I'm assuming the same applies for Port forwards?

Super Bronze

Hi, Yes it should as there is

Hi,

 

Yes it should as there is an existing xlate/translation for it too on the firewall and the return traffic for the connection matches this same xlate/translation on the firewall.

 

- Jouni

New Member

Thanks Jouni. There's only

Thanks Jouni. There's only one more thing that doesn't make sense.

In my test case, if I have "ip verify reverse-path interface blah" enabled on the firewall's primary outside interface, the NAT/PAT does not work on the backup internet interface.

this almost suggests the incoming traffic comes in on the backup, and then out the primary. Any thoughts on this?

Super Bronze

Hi, The command that you

Hi,

 

The command that you refer to is used to configure the ASA in a way that it checks that the incoming packet is coming from the correct source interface.

 

For example if you had a LAN network of 10.0.0.0/24 and traffic comes to ASA from some other interface with a source IP address belonging to that network then the ASA will block it.

 

So I assume that your problem (if having that configuration enabled for the interfaces) stems from the fact that you have the active default route on the other ISP link and so it expects traffic from all unknown source IP address (that is not part of some specific network/subnet route on the ASAs routing table) to come through that ISP link and not the other ISP link and therefore drops the traffic.

Do you have a default route configured for the other ISP link? I mean with a worse metric than the one in use?


For example

 

route isp-1 0.0.0.0 0.0.0.0 1.1.1.1

route isp-2 0.0.0.0 0.0.0.0 2.2.2.2 2


If you dont have the second default route (remember the worse metric value at the end, 2 in this case, can be something higher also) you could try if adding it and see if it has any effect.

 

I guess you would also see the difference if you were connecting from a specific public IP address on the Internet and routed that IP address on the ASA through the ISP2 link.

 

Though I guess its good to be carefull if you are going to test something like this so you dont affect your connection to the ASA or even the ASAs traffic forwarding. :)

 

- Jouni

New Member

Hi Jouni,I do already have a

Hi Jouni,

I do already have a secondary route, along with a track:

route outside-comcast 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1
route outside 0.0.0.0 0.0.0.0 y.y.y.y 250

New Member

after thinking about this

after thinking about this more....

even if I have "route outside 0.0.0.0 0.0.0.0 y.y.y.y 250", that route is not in the active routing table, unless "route outside-comcast 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1" goes down.

So when traffic comes in on the "outside"/backup interface, the ASA will check it's routing table and see no route going to "outside."Since the active default route is going out "outside-comcast." Thus, it will drop the traffic when "ip verify reverse-path interface" is on

Super Bronze

Hi, I guess then the problem

Hi,

 

I guess then the problem is simply the fact that even if you have 2 default routes, only one of them can be active at a time and present in the routing table so for that reason the traffic is blocked from the secondary ISP link while primary is in use.

 

I guess the only way to test would be to have a specific route for some IP address through the ISP2 for which there is no need to have access through the ISP1 so you could test if the traffic is still blocked.

 

I guess you are not able to use the "ip verify reverse-path" configuration for your WAN interfaces atleast in this setup.

 

- Jouni

323
Views
0
Helpful
8
Replies
CreatePlease login to create content