topic ASA - NAT in Network Security

ASA - NAT

rush2amol — Mon, 11 Mar 2019 21:11:45 GMT

Hi,

Background - I have a ASA which is connected with 2 internet service providers. Both providers have their respective public IP addresses configured to two different physical interfaces. I NAT the Inside zone proxy to one of the provider interface for browsing purpose.

Requirement - There should be a automatic switchover of proxy from one provider to another when the configured NAT provider fails.

Solution -

The default route configured can be switched automatically from one provider to another using IP SLA monitoring; same has been tested and it works on the ASA.

Problem - The proxy NAT should be switched automatically from one provider to another. Is there any mechanism where the proxy is configured with 2 NAT ID's (of two providers), where one is preferred and if that goes down the other ID is picked?

Regards,

Amol.

Re: ASA - NAT

Deepak Khemani — Fri, 19 Aug 2011 11:32:13 GMT

This is not a tested solution but I think this will work.

Step 1 : Place ISP in different security levels. ISP1 in outside with security level 100 and ISP 2 in outsuide1 with security level say 95.

Step 2 : Config IP SLA ( as already done ) for routing switchover.

Step 3: Identify address to be natted with nat (inside) 1 0.0.0.0 0.0.0.0 ( For all addresses)

Step 4: Repeat the above address with diff NAT ID nat (inside) 2 0.0.0.0 0.0.0.0 ( For all addresses)

Step 5: Create twop global pools with NAT ID 1 and 2 as

global (outside) 1

global (Outside2) 2

I have not tested the solution as I don't have access to ASA box.

But to be honest I think what will happen is traffic will match NAT ID 1 and ASA will perform required NATting and sent to ISP 2 interface (As bcoz of IP SLA default route now points to ISP 2. ISP 2 might not transmit the traffic bcoz source address in packet will be of ISP1. And also in case if it transmits ISP 2 will not get any answer in return because remote host will send reply to source address of packet which is ISP 1. And ISP1 is down.

If you try this stuff please let me know if it worked or not.

Thanks in advance

Re: ASA - NAT

Deepak Khemani — Fri, 19 Aug 2011 13:01:36 GMT

After more research I found the soution for the problem you rae facing. Previous answers was full of crap and type mistakes. Security level for outside interface as 100 and 95. My bad.

Here's the solution.

interface Ethernet0

nameif outsidePrimary

security-level 0

ip address 1.1.1.2 255.255.255.248

interface Ethernet1

nameif outsidebackup

!--- The interface attached to the Secondary ISP.
!--- "backup" was chosen here, but any name can be assigned.

security-level 0

ip address 2.2.2.2 255.255.255.248

interface Ethernet2

nameif inside

security-level 100

ip address 172.22.1.163 255.255.255.0

global (outsidePrimary) 1 interface
global (outsidebackup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

!--- NAT Configuration for Outside and Backup

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1

!--- Enter this command in order to track a static route.
!--- This is the static route to be installed in the routing
!--- table while the tracked object is reachable. The value after
!--- the keyword "track" is a tracking ID you specify.

route backup 0.0.0.0 0.0.0.0 2.2.2.1 254

!--- Define the backup route to use when the tracked object is unavailable.
!--- The administrative distance of the backup route must be greater than
!--- the administrative distance of the tracked route.
!--- If the primary gateway is unreachable, that route is removed
!--- and the backup route is installed in the routing table
!--- instead of the tracked route.

And then define the config for IP SLA Monitor.

Hope this helps.

Cheers

ASA - NAT

rush2amol — Mon, 22 Aug 2011 14:46:20 GMT

Hi Deepak,

Thx for responding. I am not sure if the given solution would work; actually i haven’t come across anything such specific but what i see is the firewall do accept it. Following for your perusal -

Hostname/admin# sh run global 100

global (outside) 100 21.21.14.250 netmask 255.255.255.255

global (dmz) 100 21.21.13.250 netmask 255.255.255.255

Hostname/admin#

Hostname/admin# sh run nat 100

nat (inside) 100 10.224.45.254 255.255.255.255

Hostname/admin#

Let me check on this and would let you know.

Would also like to inform you on the following config which i checked and it didn’t work; just for your information...

global (outside1) 100 interface

global (outside2) 101 interface

Hostname/admin#

Hostname/admin# sh run | i pat

access-list pat-SP1 permit ext permit ip host 10.224.45.100 any

access-list pat-SP2 permit ext permit ip host 10.224.45.100 any

Hostname/admin# sh run | i nat

nat (inside) 100 access-list pat-SP1

nat (inside) 101 access-list pat-SP2

When the above was entered the browsing was completely stopped, but when i removed one PAT access list it again started to work. The default route was anyways been taken by the IP SLA.

Thx,

Amol

ASA - NAT

varrao — Mon, 22 Aug 2011 15:46:37 GMT

Hi,

I am not really sure about your exact requirement but what I gather is you have ntwo ISP providers and you would want these two ISP's for redundancy, so if the first goes down the seconda takes over automatically????

Well if thats your requirement, have you configured sla monitoring on the ASA, because without it, this would not work and ASA would keep punting the packets to your DG with the least metric default route. So you need to add these commands:

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside
 num-packets 3
 frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

route backup 0.0.0.0 0.0.0.0 10.25.0.250.1 254

Without this config, the switchover wont happen automatically, the ip's in above example are just for example purpose.

You can refer to this doc for more help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Let me know if this is what you were looking for.

Thanks,

Varun

ASA - NAT

rush2amol — Sat, 12 May 2012 15:00:33 GMT

Hi Deepak,

Tried the following config as mentioned by you earlier but it didnt work

global (outsidePrimary) 1 interface
global (outsidebackup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

Interesting to note if ping icmp works as expected. Means as per the required routing and its manipulation using the IP SLA necessary pat gets assigned and the ping goes fine, but somehow the connectivity is not working. No browsing, no successfull sessions. But if i remove the alternate NAT (global (outsidebackup) 1 interface) then the browsing starts.

Any idea why is this happening ???

Regards

Amol.