topic Resilient NAT in Network Security

Resilient NAT

Sunset666_2 — Mon, 11 Mar 2019 22:16:51 GMT

Hi guys

I need to setup an ASA 5520 to correctly NAT over two wan links. The idea sounds pretty straingforward but it does not, I have only 2 IPs that are involved with the NAT

192.168.1.10(Nated Server) -- 172.16.1.10(Web Server)

I have 2 interfaces that sould be applied to it let's say outside1, outside2. The server is reacheable through each outside interface, the outside interfaces is selected uppon dynamic routing and that is working OK.

So if link outside1 is up the Nat follows this schema

192.168.1.10(inside) -- 172.16.1.10(outside1)

that works fine, but I want that automagically changes over when the link outside1 is down to

192.168.1.10(inside) -- 172.16.1.10(outside2).

I know I can't have a NAT with 2 IPs and 2 different interfaces (ASDM doesn't allow me to), is there a way to implement this??

Resilient NAT

andrew.prince — Thu, 19 Jan 2012 15:38:22 GMT

I do not know about the ASDM - but from the CLI you can do this with no issues.

Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 13:46:11 GMT

It doesn't works, I can create the static NAT through the CLI (with a warning BTW ASDM does allow me to create it with a big warning message). After create the parallel NAT my ASA doesn't realice that it should use the one accorded to the interfaces that the routing tells it to route the package.

I did try to clear the xlate table, but it didn't work, also tried to disable the interface asociated with this NAT.

The only way to make it works is deleting the other NAT in order to have just one active (the one that the routing protocol is telling is active)

Any other idea??

Resilient NAT

andrew.prince — Fri, 20 Jan 2012 13:48:01 GMT

What version are you running? And post what you have tried to configure.

Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 14:43:51 GMT

8.2

static (inside,outside1) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

static (inside,outside2) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

The routing is eigrp that is working OK

Resilient NAT

andrew.prince — Fri, 20 Jan 2012 14:46:56 GMT

OK the way I read that is - the internal machine 172.16.1.10 will be translated and visible on the outside as 192.168.1.10

Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 14:54:31 GMT

Yes, and it needs to be reached through two wan links that are way different in a failover configuration.

I have a branch office and I want to keep my internal IPs hidden, so I use NAT to achive this.

Any ideas to implement this on the ASA??

I have thought that I can move the routing failover part to a router and use just one interface on the ASA but I need to buy the new router. This is only if the ASA can't do the trick

Resilient NAT

andrew.prince — Fri, 20 Jan 2012 15:28:54 GMT

I just put that into a lab firewall - and have no issues, see my test config.

interface Ethernet0/0

nameif Outside1

security-level 0

ip address 10.0.1.1 255.255.255.0

interface Ethernet0/1

nameif Outside2

security-level 0

ip address 10.0.2.1 255.255.255.0

interface Ethernet0/5

nameif Inside

security-level 100

ip address 172.16.254.250 255.255.255.0

access-list outside-in extended permit icmp any any

access-list outside-in extended permit tcp any host 192.168.1.10 eq telnet

static (Inside,Outside1) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

static (Inside,Outside2) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

access-group outside-in in interface Outside1

access-group outside-in in interface Outside2

route Outside1 8.8.8.0 255.255.255.0 10.0.1.254 1

route Outside2 9.9.9.0 255.255.255.0 10.0.2.254 1

route Inside 172.16.1.0 255.255.255.0 172.16.254.254 1

ciscoasa# show xlate

2 in use, 2 most used

Global 192.168.1.10 Local 172.16.1.10

ciscoasa#

from my lab routers, I could ping and telnet to the external address thru to 2 seperate interfaces to the internal lab router - all works OK.

Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 15:44:22 GMT

This is pretty much the scenario, just 2 things I'm missing

The route to 172.16.1.0 is not applied to Inside it is applied to each Outside according to the EIGRP process.

I also can see the xlate table correctly active.

I know it should work pretty straightforward as I said but it doesn't

Resilient NAT

andrew.prince — Fri, 20 Jan 2012 15:53:13 GMT

Sorry really confused now - so the 172.16.1.0/24 is NOT on the inside??? Where is it??? Are you saying that 172.16.1.10 is reachable thru both Outside1 and Outside2 interfaces, and when you are on the Inside, to get to it you want to use IP address 192.168.1.10?? If that is the case - I am not surprised it does not work, as the config is wrong.

Re: Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 16:03:24 GMT

Yes, that is the case

In the branch office I want to reach the 172.16.1.10 thru both Outside1 and Outside2 hiding the 172.16.1.10 with 192.168.1.10.

Can you tell me if that is achievable and what errors do I have?

I know this is not an usual configuration (at least I haven't found anything like it) I'm sorry to confuse you

Re: Resilient NAT

andrew.prince — Fri, 20 Jan 2012 16:12:33 GMT

so just to be clear - the Inside network is 192.168.1.0/24 from the outside1 and outside2 you want to connect to 192.168.1.10 BUT you need it via 172.16.1.10?

static (inside,outside1) 172.16.1.10 192.168.1.10

static (inside,outside2) 172.16.1.10 192.168.1.10

Re: Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 16:18:09 GMT

To be clear

inside is 192.168.1.0/24

remote is 172.16.1.0/24

I don't want inside-net (not just 192.168.1.0) to know 172.16.1.0.

What I need is if inside telnets 192.168.1.10 it goes to 172.16.1.10 (independent from which Outside interface is active and routing)

so far I have static(inside,outside1) 192.168.1.10 172.16.1.10 (that works pretty well but if outside1 goes offline, I have to change it to outside2, deleting outside1)

Re: Resilient NAT

andrew.prince — Fri, 20 Jan 2012 16:31:38 GMT

Thanks for the clarification - try this config

static (outside1,inside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

static (outside2,inside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255

You might get an error - ignore it.

Re: Resilient NAT

Sunset666_2 — Fri, 20 Jan 2012 16:35:42 GMT

Thank you Andrew

I'll give it a try tonight since it is a production environment.

I'll let you know the results

Re: Resilient NAT

Sunset666_2 — Sat, 21 Jan 2012 04:14:45 GMT

Andrew, I don't want to bother you with this but 2 things

1. I already had the config you suggest, I was posting the wrong static rules

2. It doesn't works dynamically, when I route to interface Outside1 it works, when I switch to Outside2 I must delete the Nat rule associated with interface Outside1 in order to get Outside2 working.

I know I should pay more attention to this details and avoid wasting your time. I'm really sorry about it. I'm back to drawing board, any suggestion??

Re: Resilient NAT

andrew.prince — Sat, 21 Jan 2012 08:39:17 GMT

post your entire config ( remove passwords)

Sent from Cisco Technical Support iPad App

Re: Resilient NAT

Sunset666_2 — Mon, 23 Jan 2012 00:36:55 GMT

ASA Version 8.2(1)

hostname ASA-Branch

interface GigabitEthernet0/0

nameif ISP1

security-level 20

ip address 10.0.1.2 255.255.255.0

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/2

nameif ISP2

security-level 50

ip address 10.10.60.55 255.255.255.0

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

port-object eq 53400

port-object eq 53401

port-object eq 53501

port-object eq 53511

port-object eq 53521

port-object eq 53541

port-object eq 53551

port-object eq 53561

access-list Inside_access_in extended permit tcp any host 192.168.1.10 object-group Ports-Branch

pager lines 24

logging enable

logging asdm informational

mtu ISP1 1500

mtu Inside 1500

mtu ISP2 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

icmp permit any ISP2

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (ISP1) 10 interface

global (ISP2) 10 interface

nat (Inside) 10 0.0.0.0 0.0.0.0

static (ISP2,Inside) 192.1.2.50 172.17.254.10 netmask 255.255.255.255

static (ISP1,Inside) 192.1.2.50 172.17.254.10 netmask 255.255.255.255

access-group ISP1_access_in in interface ISP1

access-group Inside_access_in in interface Inside

access-group ISP2_access in interface ISP2

router eigrp 10

network 10.10.60.0 255.255.255.0

network 10.0.1.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

: end

I've removed some trivial info (I hope), pretty much this is how it is configured

Re: Resilient NAT

andrew.prince — Mon, 23 Jan 2012 10:00:50 GMT

I see the issue now - it makes sense that you need to remove the static entry via ISP1 for it to work, NAT is an up > down process - so the ISP1 entry will be hit every time.....

The only way I can think of right now, is to NAT the traffic before it gets to the ASA, like put a router in front of the Branch ASA or NAT it closer to the source with a route map that defines the destination subnet.

HTH>

Re: Resilient NAT

Sunset666_2 — Mon, 23 Jan 2012 14:31:24 GMT

hi Andrew

So I was right thinking of use a router with the ISPs links and a link to the ASA and configure the ASA with a single inside outside schema.

BTW thank you very much for your advices.

Sent from Cisco Technical Support iPhone App