Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is an extra layer of NAT okay?

We have an ASA going to a router that is connected to two ISP's, but no BGP. The ASA is using PAT with an IP from ISP-1, so even when traffic is routed out to ISP-2, it comes back via ISP-1. Is it okay to do PAT again on the ISP-2 interface, so traffic will come back to this interface?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Is an extra layer of NAT okay?

David

The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.

HTH

Rick

4 REPLIES
Hall of Fame Super Blue

Re: Is an extra layer of NAT okay?

If the applications work okay with PAT in the first place then there should be no problem with doing PAT on the packet again.

Jon

New Member

Re: Is an extra layer of NAT okay?

Yep, that is what I thought also, just wanted to hear others' opinions.

Thanks very much.

Hall of Fame Super Silver

Re: Is an extra layer of NAT okay?

David

The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.

HTH

Rick

Gold

Re: Is an extra layer of NAT okay?

The issue you may have is how you decide to route traffic out ISP-1 and ISP-2.

If a single user machine could go out either interface and therefore appear on the internet as 2 different source address you may have a issue. For most things there are no issues but one example would be. If traffic to server A goes out isp-1 and natted ip address X and traffic to server B goes out ISP-2 and is natted ip address Y. If the application on server A would authenticate your ip X and then tell server B to allow this ip. When you traffic actually gets to server B using address Y it will be rejected.

To avoid things like this you need to make sure a single inside machine always appears as the same address. It is a little tougher in your case because the router cannot see the original ip that the ASA natted.

107
Views
15
Helpful
4
Replies