cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2184
Views
10
Helpful
10
Replies

ASA 2xOutside NAT using both Outside to same Inside Host

DON BROWN
Level 1
Level 1

Here is what I am trying to do.

Outside-1 1.1.1.1/28

Outside-2 2.2.2.2/30

Additional IP's routed to Outside-2 2.2.20.0/29

Inside 172.16.22.0/24

Host-A 172.16.22.50

nat (inside,Outside-1) dynamic Host-A 1.1.1.5

nat (inside,Outside-2) dynamic HOST-A 2.2.20.5

Default route is via Outside-1

If i telnet to 2.2.20.5 I can see traffic arriving on the Outside-2 interface and is natted to Host-A (172.16.22.50)

I can also see this traffic going through the Inside interface.

BUT the returning traffic is destined for Outside-1 Interface

I think I need a twice nat rule but I can't find an example that suits this scenario.


How can I achieve this ?

 

1 Accepted Solution

Accepted Solutions

We added a second default route to Outside-2 which resolved the problem.

An established connection on ASA does NOT work the same as on IPTables on Linux.

The sh asp drop indicated no route to host.

 

This has solved the problem

View solution in original post

10 Replies 10

Depending on the ASA version you are running, you can configure the two outside interfaces to be in the same traffic zone.  This will allow traffic from an existing flow to enter or exit any interface that is within the same flow.

config terminal

zone outside

interface Gig0/1

 nameif outside-1

 security-level 0

 ip address 1.1.1.1 255.255.240

 zone-member outside

interface Gig0/2

 nameif outside-2

 security-level 0

 ip address 2.2.2.2 255.255.255.252

 zone-member outside

If you are looking to force the traffic back out outside-2 interface then you would need to either use policy based routing (PBR) or twice nat.  I would suggest using PBR.

--
Please remember to select a correct answer and rate helpful posts

I have PBR defined on Inside interface.

 

If I telent from HOST-A it is working and going out Outside-2 and telnet successfully establishes session.

 

But if I telnet into 2.2.20.5 which is a routed address through Outside-2 return traffic is still using the default route via Outside-1

 

I thought an Established connection would route back out the int interface it came in on ?

 

Any thoughts ?

it would seem that you are hitting the default route.  How have you configured the PBR? Could you post the configuration?

--
Please remember to select a correct answer and rate helpful posts

I think what happens here is that the return traffic hits the first NAT rule so it goes out of the Outside-1 interface. If you try to flip the order of those NAT rules, it might work. However, it would stop working for the incoming traffic through Outside-1. To fix this, I think you would need a twice NAT rule, or as Marius mentioned through PBR.

.

We added a second default route to Outside-2 which resolved the problem.

An established connection on ASA does NOT work the same as on IPTables on Linux.

The sh asp drop indicated no route to host.

 

This has solved the problem

As far as I know, the ASA won't allow you to add another default route out of multiple interfaces. You mean a specific route to the destinations that would come through the Outside-2 interface?

I now have the following routes;

 

route Outside-1 0.0.0.0 0.0.0.0 1.1.1.2 1
route Outside-2 0.0.0.0 0.0.0.0 2.2.2.1 2

 

After adding the second route traffic initiating from Outside-2 was processed successfully and the response received.

The second default route was added with a higher AD (2). This means that this additional route will not take effect as long as the one out of Outside-1 is active. You can verify shat by issuing the command show route. So, I am wondering how that could fix the issue!.

Without the second route asp drop showed packets dropped due to no route.

Also testing with telnet would fail as previously advised from the captures.

After adding the route telnet was successful, packet capture on the Outside-2 interface shows the return traffic previously missing.

All connection in and out of Outside-1 are still working correctly.

It did solve my problem and has had no issues ... yet ":-)

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: