topic Re: Difference in Functionality between types of NAT in Network Security

Difference in Functionality between types of NAT

Teresa.A.Strickland — Fri, 21 Feb 2020 14:33:45 GMT

We are having an issue with intermittent slowness when accessing load balanced servers behind an F5. I was wondering if anyone could explain why when I use certain types of NAT, the issue is resolved. I've tried every type of NAT there is. When I use a one-to-one static NAT or a twice NAT with equal sized pools, the issue is resolved. Obviously, it is impossible for me to use equal sized pools once I move past my testing phase. Why does twice NAT work better than other types of NAT like object NAT? I'd like to understand the functionality between the two because it makes a difference when accessing the load balanced servers. Because my terminology may not be up to snuff, here's an example of what I understand to be twice NAT and then object NAT. Don't worry that I'm using two private pools. This is just an example.

This works:

object-group network NAT_Pool1
network-object 10.14.24.0 255.255.255.0
object-group network NAT_Pool2
network-object 10.17.90.0 255.255.255.0

nat (INSIDE,outside) 1 source static NAT_Pool1 JNAT_Pool2 destination static Load_Balanced_SRV Load_Balanced_SRV

Object NAT doesn't resolve the issue:

object network NAT_Pool2
range 10.17.90.0 10.17.91.255
nat (INSIDE,outside) 1 source dynamic NAT_Pool1 NAT_Pool2 destination static Load_Balanced_SRV Load_Balanced_SRV

Re: Difference in Functionality between types of NAT

mikael.lahtela — Tue, 24 Oct 2017 20:20:38 GMT

Hi,

If you want to make a Object NAT i think you have an example here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1836418

Check the example for "Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)".
Not sure if you already have tried that or if this is what you want to accomplish.

br, Micke

Re: Difference in Functionality between types of NAT

Teresa.A.Strickland — Tue, 24 Oct 2017 21:57:58 GMT

Regardless of the terminology, the first example, static twice nat with pools the same size, works. The second example, dynamic objects with ranges, provides bad performance with the load balanced servers.

I need to understand the functionality of each in relation to load balancing. For example, I know the first rule is basically the same as a static nat. Although I didn't see any evidence of my tester using more than one IP address when configured with the second example, the performance became slow again. Is there a difference in the way the ports behave or do the connections die off sooner? If you can point me to more indepth documentation or explain, I would appreciate it.

Re: Difference in Functionality between types of NAT

Teresa.A.Strickland — Wed, 01 Nov 2017 13:10:10 GMT

I know how to make the different NAT rules. My question is what is the difference in the functionality on the backend where the load balancing takes place. Why does either a static NAT pool or 1 to 1 NAT work better than the dynamic NAT rules in relation to the load balancing? I am unable to take packet captures on the backside of the F5 where I get any meaningful data or I would try to answer my own question. I did not get an answer to my question on this forum.