cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
0
Helpful
1
Replies

ASA Hide nat while using inside,outside static nat

joe19366
Level 1
Level 1

Good day,

 

Here is the issue we are trying to solve -

 

Switching firewall devices, going to need to have same servers reply to two different firewalls; the servers have always been behind their ASA and replying to the internet for the global Source IPv4 Space.

 

We want to keep that ASA online, but change the default route to the new firewall.

 

old firewall 10.1.1.1

new firewall 10.1.1.10

 

existing nat

 

object network 10.1.1.15_Server1

host 10.1.1.15

nat (inside,outside) static 63.118.110.15

 

this all works fine. however, we need to

 

1) Keep this working as we bring new firewall online - so servers default gateway becomes 10.1.1.10

2) Keep replying to stuff coming in (do not need to originate NAT OUTBOUND, DO need to REPLY to our static IP's (i.e. 63.118.110.15 for global services)

3) Can we AT THE SAME TIME NAT ALL SOURCE IP's for "the internet" to a single overload "HIDE NAT"

 

here is what I tried

object network obj_any
 subnet 0.0.0.0 0.0.0.0

nat (outside,inside) dynamic 10.1.1.254

 

The goal here is to allow us to keep BOTH firewalls ONLINE for a few months as we SLOWLY move public NAT's from The public ip's used on the old firewall to the new firewall.

And YES, connections made THROUGH the old firewall will look like they came from 10.1.1.254 

but connections through the new firewall will look like their true source IP's (the ipv4 source on the internet)

 

Thanks!

 

1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

I don't think the Dynamic NAT will fulfill the requirement. Also , if you keep both the ASA devices in network , you would certainly face issues with the Proxy-Arp on the ASA devices replying to the arp requests and that would cause Asymmetric routing and dropping the traffic on the ASA device.

I think the only workaround that you would be able to use will be to configure TCP state bypass on the ASA units.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

Thanks and Regards,

Vibhor Amrodia

Review Cisco Networking for a $25 gift card