topic Re: ASA 2xOutside NAT using both Outside to same Inside Host in Network Security

ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN — Wed, 21 Oct 2020 07:34:30 GMT

Here is what I am trying to do.

Outside-1 1.1.1.1/28

Outside-2 2.2.2.2/30

Additional IP's routed to Outside-2 2.2.20.0/29

Inside 172.16.22.0/24

Host-A 172.16.22.50

nat (inside,Outside-1) dynamic Host-A 1.1.1.5

nat (inside,Outside-2) dynamic HOST-A 2.2.20.5

Default route is via Outside-1

If i telnet to 2.2.20.5 I can see traffic arriving on the Outside-2 interface and is natted to Host-A (172.16.22.50)

I can also see this traffic going through the Inside interface.

BUT the returning traffic is destined for Outside-1 Interface

I think I need a twice nat rule but I can't find an example that suits this scenario.

How can I achieve this ?

Re: ASA 2xOutside NAT using both Outside to same Inside Host

Marius Gunnerud — Wed, 21 Oct 2020 08:34:08 GMT

Depending on the ASA version you are running, you can configure the two outside interfaces to be in the same traffic zone. This will allow traffic from an existing flow to enter or exit any interface that is within the same flow.

config terminal

zone outside

interface Gig0/1

nameif outside-1

security-level 0

ip address 1.1.1.1 255.255.240

zone-member outside

interface Gig0/2

nameif outside-2

security-level 0

ip address 2.2.2.2 255.255.255.252

zone-member outside

If you are looking to force the traffic back out outside-2 interface then you would need to either use policy based routing (PBR) or twice nat. I would suggest using PBR.

Re: ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN — Wed, 21 Oct 2020 08:52:57 GMT

I have PBR defined on Inside interface.

If I telent from HOST-A it is working and going out Outside-2 and telnet successfully establishes session.

But if I telnet into 2.2.20.5 which is a routed address through Outside-2 return traffic is still using the default route via Outside-1

I thought an Established connection would route back out the int interface it came in on ?

Any thoughts ?

Re: ASA 2xOutside NAT using both Outside to same Inside Host

Marius Gunnerud — Thu, 22 Oct 2020 07:56:32 GMT

it would seem that you are hitting the default route. How have you configured the PBR? Could you post the configuration?

Re: ASA 2xOutside NAT using both Outside to same Inside Host

Aref Alsouqi — Thu, 22 Oct 2020 10:21:31 GMT

I think what happens here is that the return traffic hits the first NAT rule so it goes out of the Outside-1 interface. If you try to flip the order of those NAT rules, it might work. However, it would stop working for the incoming traffic through Outside-1. To fix this, I think you would need a twice NAT rule, or as Marius mentioned through PBR.

Re: ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN — Sun, 25 Oct 2020 22:28:21 GMT

Re: ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN — Sun, 25 Oct 2020 22:30:45 GMT

We added a second default route to Outside-2 which resolved the problem.

An established connection on ASA does NOT work the same as on IPTables on Linux.

The sh asp drop indicated no route to host.

This has solved the problem

Re: ASA 2xOutside NAT using both Outside to same Inside Host

Aref Alsouqi — Sun, 25 Oct 2020 23:48:51 GMT

As far as I know, the ASA won't allow you to add another default route out of multiple interfaces. You mean a specific route to the destinations that would come through the Outside-2 interface?

Re: ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN — Mon, 26 Oct 2020 02:22:06 GMT

I now have the following routes;

route Outside-1 0.0.0.0 0.0.0.0 1.1.1.2 1
route Outside-2 0.0.0.0 0.0.0.0 2.2.2.1 2

After adding the second route traffic initiating from Outside-2 was processed successfully and the response received.

Re: ASA 2xOutside NAT using both Outside to same Inside Host

Aref Alsouqi — Mon, 26 Oct 2020 03:27:46 GMT

The second default route was added with a higher AD (2). This means that this additional route will not take effect as long as the one out of Outside-1 is active. You can verify shat by issuing the command show route. So, I am wondering how that could fix the issue!.

Re: ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN — Mon, 26 Oct 2020 04:02:16 GMT

Without the second route asp drop showed packets dropped due to no route.

Also testing with telnet would fail as previously advised from the captures.

After adding the route telnet was successful, packet capture on the Outside-2 interface shows the return traffic previously missing.

All connection in and out of Outside-1 are still working correctly.

It did solve my problem and has had no issues ... yet ":-)