Hi, Since 10.10.10.10 is not

Andry WTF · ‎07-13-2015

Hello all, I am trying to achieve following configuration:

Two inside host should connect to the same destination address but with different source addresses and via different paths.

The simplified network diagram is below (“.X” – mean the last octet in host’s ip address on the network, for example host with “.1” connected to 192.168.1.0/24 network has 192.168.1.1 ip address):

ASA has three interfaces:

Gi0/0 – INSIDE to SW
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
Gi0/1 – OUTSIDE1 to ISP-GW-1
nameif OUTSIDE1
security-level 0
ip address 172.16.1.1 255.255.255.252
Gi0/2 – OUTSIDE1 to ISP-GW-2
nameif OUTSIDE2
security-level 0
ip address 172.16.2.1 255.255.255.252

Both OUTSIDE interfaces has applied simple temporary access-list with “permit ip any any” ACE for the testing purposes.

Objects configuration:

object network HOST1
host 192.168.1.1
object network HOST2
host 192.168.1.2
object network DESTINATION-REAL
host 10.10.10.10
object network DESTINATION-MAPPED-1
host 10.1.1.1
object network DESTINATION-MAPPED-2
host 10.2.2.2

NAT configuration:

nat (INSIDE,OUTSIDE1) source static HOST1 interface destination static DESTINATION-MAPPED-1 DESTINATION-REAL

nat (INSIDE,OUTSIDE2) source static HOST2 interface destination static DESTINATION-MAPPED-2 DESTINATION-REAL

sh nat detail output:

Manual NAT Policies (Section 1)

1 (INSIDE) to (OUTSIDE1) source static HOST1 interface destination static DESTINATION-MAPPED-1 DESTINATION-REAL

translate_hits = 4545, untranslate_hits = 5646

Source - Origin: 192.168.1.1/32, Translated: 172.16.1.1/30

Destination - Origin: 10.1.1.1/32, Translated: 10.10.10.10/32

2 (INSIDE) to (OUTSIDE2) source static HOST2 interface destination static DESTINATION-MAPPED-2 DESTINATION-REAL

translate_hits = 4275, untranslate_hits = 5132

Source - Origin: 192.168.1.2/32, Translated: 172.16.2.1/30

Destination - Origin: 10.2.2.2/32, Translated: 10.10.10.10/32

With this configuration I cannot access from both host to destination, ping 10.1.1.1 form HOST1 (mapped destination for HOST1) and ping 10.2.2.2 form HOST2 (mapped destination for HOST2) doesn’t work.

BUT if add route on ASA to the REAL destination (10.10.10.10) via interface OUTIDE1 or OUTIDE2 – one of the NAT translation starts to work.

For example:

Route OUTSIDE1 10.10.10.10 255.255.255.255 172.16.1.2 – ping from Host1 to destination works.

Route OUTSIDE2 10.10.10.10 255.255.255.255 172.16.2.2 – ping from Host2 to destination works.

So as i assume – egress interface is selected by route lookup, ignore the NAT statement in the config, like (INSIDE,OUTIDE1).

But on the ASA you can't add two routes to same destination simultaneously and because of that I cannot manage to work this configuration. Also the latest firmware version on the ASA 5510 – 9.1.x and i cannot use PBR (was introduced in 9.4 I believe).

Any advice how i can select egress interface via NAT statement and without route-lookup?

prateek.verma · ‎07-14-2015

Hi,

Since 10.10.10.10 is not in the same subnet as that configured on the firewall interface, you need to put a route statement to actually tell the firewall behind which interface it is present. Regarding the PBR on ASA, you could refer to the following document:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

I hope it will help you.

Regards,

Prateek Verma

ASA 5510 Twice NAT from two inside hosts to same destination