topic inbound policy nat in Network Security

inbound policy nat

WILLIAM STEGMAN — Mon, 11 Mar 2019 17:10:11 GMT

I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface. We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route. The return traffic from the load balancer to hosts coming from the Internet needs a route back. What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet. It leads to an asymmetrical routing issue behind the firewall.

Internet -> ASA - DMZ - WebserversDMZ

| |

inside -- Load Balancer

WebserversINSIDE

Is there a way to create a policy nat that states something like

access-list policyNAT perm ip any host WebserversDMZ

nat (outside) 2 access-li policyNAT

global (outside) 2 10.21.5.5 netmask 255.255.255.224

so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route? Or does this only work for outbound traffic? I can't see how a static statement would work in this scenario for outside to inside translation.

thank you

Bill

Re: inbound policy nat

Jon Marshall — Tue, 16 Feb 2010 16:28:24 GMT

wstegman wrote:
I have a scenario with a load balancer that has connection into the networks behind my ASA's inside and dmz interface.  We'll be migrating all the public facing websites currently sitting on the inside to the dmz, but the problem is that I want to move one service over at a time, but my load balancer is of course only able to have one default route.  The return traffic from the load balancer to hosts coming from the Internet needs a route back.  What's happening is servers on either, not both, of the inside and dmz segments are able to communicate with those connections sourced from the Internet.  It leads to an asymmetrical routing issue behind the firewall.
Internet -> ASA - DMZ - WebserversDMZ
                    |         |
                 inside -- Load Balancer
                     |
                WebserversINSIDE 
Is there a way to create a policy nat that states something like
access-list policyNAT perm ip any host WebserversDMZ
nat (outside) 2 access-li policyNAT
global (outside) 2 10.21.5.5 netmask 255.255.255.224

so that return traffic from a server in the DMZ would see it as a directly connected route and use that route for the return traffic instead of its default route?  Or does this only work for outbound traffic?  I can't see how a static statement would work in this scenario for outside to inside translation. 

thank you

Bill

Bill

You can do inbound policy NAT from the outside although from your example it's not entirely clear what you are trying to do. Is 10.21.5.5 meant to be an address on the DMZ ?

Here is an example of inbound policy NAT

access-list PNAT permit ip any host Webserver_dmz

nat (outside) 2 access-list PNAT outside <-- note the additional "outside" keyword at the end, this is important

global (dmz) 2 interface

what the above would do is NAT any source internet addresses to the DMZ interface IP address. So the webserver in the DMZ sees the source as the DMZ interface and just sends it back there.

I'm not entirely sure this is what you want though. If not could you be more specfic in what you want ?

Jon

Re: inbound policy nat

WILLIAM STEGMAN — Tue, 16 Feb 2010 16:48:53 GMT

Yes, 10.21.5.5 would be an address in the DMZ. That's perfect. I applied your suggested config (only one exception, I already had a global (dmz) 1 int command there so I had to use global (dmz) 2 10.21.5.5 netmask 255.255.255.255 ) and I have the web servers from both segments routing correctly now.

thank you!

Re: inbound policy nat

francisco_1 — Tue, 16 Feb 2010 16:56:49 GMT

Bill,

Is the LB the gateway for the servers?

If not i worked with a similar design were the LB is not the gateway for the servers, instead servers using a switch (HSRP) as their gateway and the switch connected via another vlan to the upstream LB. The load balancer we used was Cisco ACE acting as one arm mode with single vlan interface with a default route to the upstream firewall and another route towards servers soundbound.

With servers having multiple interfaces and more than one exit interface, we used SNAT (Souce NAT) on the ACE to direct return traffic always back through the ACE LB.

Hope that helps

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example