topic Re: NAT Operations question urgent in Network Security

NAT Operations question urgent

amanverma — Fri, 21 Feb 2020 15:18:23 GMT

we are doing an migration so added another inside_2 interface, BGP is running between ASA and routers on both sides.

now there are around 50 Static NAT Twice entry in place with #nat (inside,ouside)

now in migration activity we need to point same nat entry to inside_2 like #nat (inside_2,outside).

I understand that when I will create same NAT rules again with inside_2 interface then they will be placed down in order and will not match because with inside-outside they will match first.

now what we want is that during that activity when BGP points the exit path to inside_2 then NAT should use inside_2 and when BGP points inside as exit then it should use inside. but both interfaces will be up at same time with same security level.

how can I achieve this ? only have CLI access and IP's will remain same.

Re: NAT Operations question urgent

Francesco Molino — Thu, 08 Feb 2018 02:15:26 GMT

Just to be sure, I want to confirm something.

You have 2 interfaces inside and inside_2.

Behind inside you have a host natted on asa for inbound connection, let's say ip 10.100.100.1.

What you're achieving is moving that server behind interface inside_2 keeping same IP.

Am I right?

How you're advertising your network? I mean, on ASA, BGP will learn the full subnet from inside and during your migration, this subnet is gonna be learned behind inside_2?

If so, you can convert all your nat (inside,outside) into nat (any,outside). When your migration is finished, then put all nat back with the right interface nat (inside_2,outside). In that way, nat will be enable for all interfaces and the decision will be made with route-lookup step.

I've done that multiple times for customer migration and didn't get any issues.