topic Re: One-to-one NAT with redundant ISP links in Network Security

One-to-one NAT with redundant ISP links

sequoyatech — Mon, 11 Mar 2019 18:52:55 GMT

We have an ASA5505 with the Sec+ license. I'm comfortable setting up failover using tracked routes, and allowing simple inbound traffic to the current mapped interface IP. This requires that all internal destination IPs be PATed to the current interface address (as per the bolded global statement below). Our requirements are expanding and we would like to start using one-to-one NAT for our servers. We have a /29 block on our primary link, but only have a /30 on the backup link.

Here's an example of what we have now. This allows HTTP traffic to reach the internal IP of 192.168.1.10, regardless of whether the primary or backup link is active.

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248 
!
interface Vlan3
 nameif outside-backup
 security-level 0
 ip address 2.2.2.1 255.255.255.252

global (outside) 1 interface
global (outside-backup) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255

access-list acl_out extended permit tcp any interface eq www

access-group acl_out in interface outside access-group acl_out in interface outside-backup

We'd like to break out the existing PAT setup to one-to-one NAT; something like:

static (inside,outside) 2.2.2.2 192.168.1.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.3 192.168.1.11 netmask 255.255.255.255

When the primary interface goes down, both internal hosts should remain accessible from the outside on the backup link. I may be able to upgrade the backup link to a /29 as well, if that's what's needed here. Is this a pipe dream, or possible? If I can do it, what would the configuration look like? And finally, am I making any sense at all?

Re: One-to-one NAT with redundant ISP links

golly_wog — Mon, 11 Oct 2010 21:05:03 GMT

Nathan

Mate - I *think* that you might be able to do this in 8.3, some of the Experts here might be able to help you solve it, but I think that is the puppy you need...

Re: One-to-one NAT with redundant ISP links

Panos Kampanakis — Mon, 11 Oct 2010 21:13:38 GMT

You can do what you want Nathan.

If you have 2 servers you will need extra ips for the isp link (let's assume its name is outside2) though. Let's say you had them and they were 3.3.3.2 and 3.3.3.3. Then you would just need

static (inside,outside) 2.2.2.2 192.168.1.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.3 192.168.1.11 netmask 255.255.255.255

static (inside,outside2) 3.3.3.2 192.168.1.10 netmask 255.255.255.255

static (inside,outside2) 3.3.3.3 192.168.1.11 netmask 255.255.255.255

I hope it helps.

Re: One-to-one NAT with redundant ISP links

golly_wog — Mon, 11 Oct 2010 21:23:21 GMT

Is there any way to do this just using a single outside address (for both interfaces),

eg, 2.2.2.2 is the publicly routable address that translates to 192.168.1.10 on the inside.

I can't see how this would work without having 2 seperate IPs. And having 2 IPs for your web server is a bit pants.

cheers

Re: One-to-one NAT with redundant ISP links

sequoyatech — Tue, 12 Oct 2010 12:21:22 GMT

Could we fall back to PAT in that case?

global (outside2) 1 interface

static (inside,outside2) tcp interface www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside2) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255

Re: One-to-one NAT with redundant ISP links

Panos Kampanakis — Tue, 12 Oct 2010 13:30:18 GMT

Could we fall back to PAT in that case?

global (outside2) 1 interface

static (inside,outside2) tcp interface www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside2) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255

Yes you could. When the ISP2 is up the statics hold for the 2 server and the global is for the rest behind the inside.

I hope it helps.

Re: One-to-one NAT with redundant ISP links

Panos Kampanakis — Tue, 12 Oct 2010 13:33:05 GMT

Is there any way to do this just using a single outside address (for both interfaces),

eg, 2.2.2.2 is the publicly routable address that translates to 192.168.1.10 on the inside.

I can't see how this would work without having 2 seperate IPs. And having 2 IPs for your web server is a bit pants.

cheers

You are right, you will need 2 ip addresses per ISP to translate your servers. And then of course you can still use the outside ip address of the ASA.

So someone would need 3 available ip addresses per ISP, that is why /29 is the mask someone would need from them.

Re: One-to-one NAT with redundant ISP links

sequoyatech — Tue, 12 Oct 2010 13:52:03 GMT

Thanks all. I hope to make the changes later today and will post back with the results.

Re: One-to-one NAT with redundant ISP links

golly_wog — Tue, 12 Oct 2010 19:14:01 GMT

Thanks PK