Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 8.3 NAT Issue

Dear all,

I'm at my wits end, perhaps someone can take a moment to look into this.

I want to NAT one ( ! ) single inside host on a different WAN/ ISP interface ( of which I have two ) .

The first one is a /29 - adressed static SDSL 2,3 MBit link, the 2nd one a 16MBit ADSL line with one static IP.  Both interfaces are DIFFERENT carriers ( Versatel = ifname outside and Ecotel =ifname ecotel  ).

( The SDSL line is used to NAT/PAT all other hosts except the one in question. )

( Inside Userland is 172.16.0.0/24 and 192.168.20.0/24. )

Both lines are firing on all cylinders, but I can't get any traffic through the ecotel ADSL interface from the client in question.

The SDSL line works as expected.

Routing is:

C    172.16.0.0 255.255.0.0 is directly connected, inside

S    192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside

C    213.138.48.24 255.255.255.252 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )

I added a 2nd default route with metric 2 pointing to the 2nd ISP, resulting in:

out  0.0.0.0         0.0.0.0         via [pppOE ServerIP according to debug output] , ecotel

interface Ethernet0/2

description Uplink Ecotel

nameif ecotel

security-level 0

pppoe client vpdn group ecotel

ip address pppoe

object network SC

host 192.168.20.4

description SC

object network SC

nat (inside,ecotel) dynamic interface dns

The packet tracer routes a simulated packet from the SC Object via inside to outside....

Can someone shed some light on this ?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA 8.3 NAT Issue

Wow a light bulb just clicked on. John said it. If the ASA were to translate the source to the ecotel interface ip, it would not have a route to send the traffic to after doing so.

In my opinion, you cannot do what you want to do. You have to find a different way to split the load.

eg: route 0.0.0.0 128.0.0.0 outside

     route 128.0.0.0 128.0.0.0 ecotel

I don't even know if thats going to work.

52 REPLIES

Re: ASA 8.3 NAT Issue

object network SC

nat (inside,ecotel) dynamic interface dns

What does the 'dns' part do? Sorry, my 8.3 ASA configurations is a little iffy, I'm still use to < 8.3

If you ping an outside ip address from host 192.168.20.4, and set a capture does it show anything?

Also, do you see any active translation for that specific nat when you try?

I know you're translating 192.168.20.4 to whatever the interface of ecotel is, I'm just not sure what the 'dns'

option does.

Purple

ASA 8.3 NAT Issue

Hi,

the problem is that the ASA doesn't support multiple default routes unless you have one as a failover backup route and the primary is tracked with IP SLA.

So it can't work to my best knowledge.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: ASA 8.3 NAT Issue

John,

thanks for your feedback. The DNS option does some mangling on the DNS record once the xlate is written . Omitting it yields no other result. So - it shouldn't have any impact on what I'm trying to piece together.

Here we go:

[capt test int ecotel tra] -> buffered

Ping from 192.168.20.4 to 194.25.2.130 :

ICMP echo request from inside:192.168.20.4 to outside:194.25.2.130 ID=768 seq=17408 len=32

( The ASA records the requests as being sent )

( The ASA records them being sent via OUTSIDE which is the wrong interface )

( The Host itself does not receive echos, but see below: )

sho capt test:

1: 14:52:10.230777 PPPoE Session ID 5346 len 10 PPP LCP: Echo Request

2: 14:52:10.238085 PPPoE Session ID 5346 len 10 PPP LCP: Echo Reply

The host STILL does not receive echos, BUT the capture records them as being RECEIVED via the ecotel interface.

Looks like these just don't find their way back somewhere in the code.

Ehm, yes.....dazed and confused.

EDIT:

to Alain: Please look at the last example in https://supportforums.cisco.com/docs/DOC-15622.

This is roughly what I'm trying to achieve, why shouldn't this be possible ?

Re: ASA 8.3 NAT Issue

Cadet, very well may be right. What ASA model do you have and liscense?

Re: ASA 8.3 NAT Issue

Can you post the configuration if your multiple default route statements and or your complete routing table?

Just make sure to sanitize the configuration so the public doesn't see anything you don't want them too.

EDIT

-------

From doing some research, it appears that you can do multiple default routes..

Re: ASA 8.3 NAT Issue

Sorry it's early and I'm having a retard moment.

S*   0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )

Can you post the other static default route?

It seems that traffic is not using the second default route, for internet traffic.

New Member

Re: ASA 8.3 NAT Issue

it is a 5510 /w base LIC.

I have of course read that ISP failover isn't in our license, but that's not what I want.

192.168.20.4 is a proxy server concentrating the WWW traffic which I want to bypass the SDSL line we've outgrown.

I know that source-  / PBR isn't a job an ASA was designed to do; so why not NAT'ing a proxy to a different WAN line

when you can't separate the transport via PBR ?

I cannot paste the entire config here because of some certs in there etc., but here's what might be of interest:

ROUTING:

route outside 0.0.0.0 0.0.0.0 213.138.48.1 1

route ecotel 0.0.0.0 0.0.0.0 195.52.218.239 2

route inside 192.168.20.0 255.255.255.0 172.16.1.1 1

show asp route table:

in   255.255.255.255 255.255.255.255 identity

in   public_IP_SDSL   255.255.255.255 identity

in   172.16.1.111    255.255.255.255 identity

in   PUBLIC_IP_ADSL  255.255.255.255 identity

in   PUBLIC_IP_SDSL_CARRIER_GATEWAY 255.255.255.252 outside

in   192.168.20.0    255.255.255.0   inside

in   172.16.0.0      255.255.0.0     inside

in   0.0.0.0         0.0.0.0         outside

out  255.255.255.255 255.255.255.255 ecotel

out  224.0.0.0       240.0.0.0       ecotel

out  0.0.0.0         0.0.0.0         via PUBLIC_IP_ECOTEL_NEXT_HOP, ecotel

out  255.255.255.255 255.255.255.255 management

out  224.0.0.0       240.0.0.0       management

out  255.255.255.255 255.255.255.255 inside

out  192.168.20.0    255.255.255.0   via 172.16.1.1, inside

out  172.16.0.0      255.255.0.0     inside

out  224.0.0.0       240.0.0.0       inside

out  255.255.255.255 255.255.255.255 outside

out  PUBLIC_IP_SDSL_CARRIER_SOME_OF_THEIR_IP 255.255.255.252 outside

out  224.0.0.0       240.0.0.0       outside

out  0.0.0.0         0.0.0.0         via SDSL_CARRIER_NEXT_HOP , outside

out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity

out  ::              ::              via 0.0.0.0, identity

Re: ASA 8.3 NAT Issue

Well, I've had a similar issue on an ASA at work. Several of our machines needed to access an outside connected, but

the default route goes out another way, in which this will not work. I can't do PBR on the ASA, so I had to add a static route, but since PBR can't be used that route is for everyone if you know what I mean.

When you ping an outside ocnnected it's going out outside because that static default route has priority.

Re: ASA 8.3 NAT Issue

route outside 0.0.0.0 0.0.0.0 213.138.48.1 1

route ecotel 0.0.0.0 0.0.0.0 195.52.218.239 2

From this configuration, I would think anything matched the default route would go out of interface outside and not interface ecotel. The default route for the outside interface has a better metric than the one for ecotel.

New Member

Re: ASA 8.3 NAT Issue

The routing table is pasted above.

The ecotel provider is interesting. They gave us a fixed IP but the protocol won't come up until I set it to negotiate ( which yields the IP they gave us ).

Once I did that, it came up and I omitted the setroute because I didn't want to mess with the main link, that is, having a new dafault WAN route screwing my setup.

Moreover, the guys refused to give me their next hop/gateway ID; I was asking them and they told me ( no joke ) it is 192....  So I looked at the interface config and it tells me that the line's remote is [NNNN] which I used as the routing target for the ADSL. ( Should I REALLY be using a different IP for that, I mean is NNNN not the required gate ?)

I agree with you that the outside metric is better ( 1 ), but how else would I tell the ASA to use another interface except from NAT which I thought would force this route because of  NAT ( srcif, dstif ) ?

Re: ASA 8.3 NAT Issue

Well a 192.0.0.0 is a perfectly routable address. I think what you're talking about is 192.168.0.0 255.255.0.0. The reason they gave you a fixed IP, is it's probably using DHCP, but has a reservation for the mac address of that interface, unless they gave a dhcp pool with just 1 ip address, which is possible.

New Member

Re: ASA 8.3 NAT Issue

I think it's the latter because they didn't know the MAC unless I switched on my modem here which wasn't supplied by them.

Well, perhaps someone else has an idea on what must be done to get it up and running.

Re: ASA 8.3 NAT Issue

I got an idea.....

S    192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside

According to that static route statement, the 192.168.20.0/24 networks is reachable via the inside interface on 172.16.1.1.

Where is the vlan interface for the 192.168.20.0/24 network? You could in theory, create a PBR on the switch with this vlan interface (if you can via IOS), for anything with a source of 192.168.20.4 and have a next hop of whatever the ecotel next hop is.

Correct me If I'm wrong guys.....

New Member

Re: ASA 8.3 NAT Issue

John,

this would bypass the ecotel interface again, because the ASA's default route still points to the SDSL Line....if I'm right,.

I still gaze at https://supportforums.cisco.com/docs/DOC-15622 - this would be pretty ideal if I could manage to shrink the source down to ONE certain IP but I cannot figure how to do that in 8.3.

Re: ASA 8.3 NAT Issue

Well, if you set the next-hop to the next hop on the eoctel line, the ASA should have a specific route for that network, and

should arp for the default-gateway on the other end, I would think...

New Member

Re: ASA 8.3 NAT Issue

Hi John,

the scenario is as follows, the above picture was not complete because I thought things to be..ehm, easier.

192.168.20.0./24 -->[e.0/0] @ C2611XM [e0.1] 172.16.1.0/16  -> {---DMZ---} -> 172.16.1.111 [e0/0] ASA

                                                                                                                            [e0/1] ASA -> SDSL (versatel)

                                                                                                                            [e0/2] ASA -> ADSL (ecotel)

I've been toying around /w PBR a fair bit; before I put this live I'd like to confirm you that the following IOS code

on the 2611 will most probably work. It's production time right now and I cannot touch the interface config without users complaining.

ip access-list extended ecotel permit ip host 192.168.20.4 any ( defines which host is subject to PBR )

route-map ecotel permit 10

match ip address ecotel

set interface [e0/1] ( this is the one pointing inwards into the DMZ 172.16.... )

set ip next-hop A.A.A.A ( this is our fixed IP on the e0/2 on the ASA, not the default Gate, correct ? )

interface [e.0/0] ( to which the 192.168.20.4 host is directly connected ) finally runs this policy with ip policy route-map ecotel.

Re: ASA 8.3 NAT Issue

Is the vlan interface for 192.168.20.0/24 on the 2611XM?

New Member

Re: ASA 8.3 NAT Issue

The 2611XM is in turn connected to a stack of 2950 switches, on one of them is a VLAN port group forming the DMZ. The 172.16... leg of the router is connected to this group while the 192.168.20.0/24 leg of the router is connected to a port which does not belong to this VLAN.

Re: ASA 8.3 NAT Issue

The above config seems fine Dan, I would put it on the vlan interface of the 192.168.20.0/24 network. Where ever it's

default gateway is, I would put the policy route on that router. Just make sure to do this off hours/maintenance window. Also, always keep backups that way you can easily revert back if it doesn't work or other problems appear.

New Member

Re: ASA 8.3 NAT Issue

Thanks John,

I will try as soon as possible. From what I have read, the PBR ingress interface ( the one with the policy statement ) is ( mostly ) the default gate of the segment from where I want to reroute certain packets. Because the gate of 192.168.20.0 is .2 ( which is the 2611XM )  - let's see what the upshot is.....

New Member

ASA 8.3 NAT Issue

I have not read every single post but here is my opinion.

Somewhere you have in the config the following or something similar.

nat (inside,outside) dynamic interface

It is likely in section one of the nat table. If it is under the object nat section, I don't think you can reorder this section but I am not sure. Do some research on this. I think the basic problem is that the above is coming before the one you want to go to the ecotel interface. There is a section 3 of the nat table to force the above to come after the object nat.

PBR will not work from any device which is behind the device that is connected to the next hop you want to use. Don't waste your time with this. PBR only works when the next hop you want to use is directly connected to the device you are configuring PBR on.

Another way to do it might be to use PBR but direct the traffic to another inside interface on the ASA. Then nat from that interface to ecotel.

Cheers.

New Member

Re: ASA 8.3 NAT Issue

Garry,

thanks for sharing your thoughts here. I've considered bringing another interface ( dedicated ecotel nat ) on the ASA to live as an option, too. From what I've experienced I really cannot order the NAT statements. The PBR device in question is located before the ASA, meaning that the ASA is directly connected to the 2611 because both live in the 172.16.... range.

New Member

Re: ASA 8.3 NAT Issue

Section 1 can be ordered. They are order by the order in the config.

Section 2 is ordered by the ASA

Section 3 is ordered similar to section 1 but when adding a rule you can spedify a line #.

One more thing, In 8.4(2) and later they changed a bunch of stuff as well with regard to all this.

With PBR, on the 2611, your next hop can only ever be the ASA. I am not sure if you can even specify a non direct connected next hop. If you can it will look it up and route it to the correct next hop by using recursive lookup and resolve to the ASA and you will be no further ahead. 

When I read the following in the 8.4/5 command reference it implies that the ASA by default uses the interface specified by the nat command as the egress interface. You can use route-lookup to overide this behavior. I really believe your problem is with the order of processing of your nat rules.

route-lookup

(Optional) For identity NAT in routed mode,  determines the egress interface using a route lookup instead of using  the interface specified in the NAT command. If you do not specify  interfaces in the NAT command, a route lookup is used by default.

Re: ASA 8.3 NAT Issue

Thanks for the clarification on pbr garry.

New Member

Re: ASA 8.3 NAT Issue

Thanks Garry.

What is your suggestion on what to do next ?

Try the PBR anyway or rearrange the NAT statement in working order ?

Upgrade  to 8.4(n) ?

Use a dedicated interface for the 2nd line ?

New Member

Re: ASA 8.3 NAT Issue

My immediate suggestion is for you to give us a show run nat and a show nat for completness.

If you need to hide anything just overwrite with x.x.x.x any ip's or service ports on the outside you don't want to publish.

New Member

Re: ASA 8.3 NAT Issue

Garry,

I will post the config tomorrow morning ASAP.

New Member

Re: ASA 8.3 NAT Issue

Morning Guys,

sho nat:

1 (inside) to (outside) source static LX0 [PUBLIC_IP] dns

    translate_hits = 2691154, untranslate_hits = 570806

2 (inside) to (outside) source static MTA1 [PUBLIC_IP] dns

    translate_hits = 286601, untranslate_hits = 787384

3 (inside) to (outside) source static SMB0 [PUBLIC_IP]dns

    translate_hits = 53374, untranslate_hits = 1088

4 (inside) to (outside) source static Thermograph [PUBLIC_IP]dns

    translate_hits = 18, untranslate_hits = 862

5 (inside) to (ecotel) source dynamic SC interface dns

    translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source dynamic MOBIL19 interface dns

    translate_hits = 15060, untranslate_hits = 2514

7 (inside) to (outside) source dynamic MOBIL5 interface dns

    translate_hits = 22920, untranslate_hits = 3088

8 (inside) to (outside) source dynamic MOBIL16 interface dns

    translate_hits = 4954, untranslate_hits = 440

9 (inside) to (outside) source dynamic PB_300c interface dns

    translate_hits = 49, untranslate_hits = 0

10 (inside) to (outside) source dynamic SMB2 interface dns

    translate_hits = 10405, untranslate_hits = 6

11 (inside) to (outside) source dynamic test interface dns

    translate_hits = 343558, untranslate_hits = 39562

12 (inside) to (outside) source dynamic PBX0 interface

    translate_hits = 342224, untranslate_hits = 482

13 (any) to (outside) source dynamic Wireless interface

    translate_hits = 22543, untranslate_hits = 1423

sho run nat:

object network test

nat (inside,outside) dynamic interface dns

object network MTA1

nat (inside,outside) static [PUBLIC_IP] dns

object network LX0

nat (inside,outside) static [PUBLIC_IP] dns

object network Thermograph

nat (inside,outside) static [PUBLIC_IP] dns

object network PBX0

nat (inside,outside) dynamic interface

object network Wireless

nat (any,outside) dynamic interface

object network SMB0

nat (inside,outside) static [PUBLIC_IP] dns

object network PB_300c

nat (inside,outside) dynamic interface dns

object network SC

nat (inside,ecotel) dynamic interface dns

object network SMB2

nat (inside,outside) dynamic interface dns

object network MOBIL5

nat (inside,outside) dynamic interface dns

object network MOBIL16

nat (inside,outside) dynamic interface dns

object network MOBIL19

nat (inside,outside) dynamic interface dns

Re: ASA 8.3 NAT Issue

Gary, please correct me if I'm wrong, but I'm assuming that the ASA will match the first NAT statement that certain traffic are matched for, and take that one, kinda like an ACL so to speak? As well as taking a more specific NAT entry over a more generic one?

object network test

nat (inside,outside) dynamic interface dns

From looking at this, it's first in the list, and is running dynamic PAT.

So I guess if you did a

object network ecotel

nat (intside,ecotel) dynamic interface dns (If you want DNS rewrite as well)

object network test

nat (inside,outside) dynamic interface dns

???

2631
Views
0
Helpful
52
Replies
CreatePlease to create content