Re: ASA large-scale PAT with HTTP proxy design question

tvotna · ‎08-16-2023

Hi,

We have Cisco WSA farm integrated with ASA via WCCP with lots of internal users. Each WSA is currently PATed to its own public IP address on ASA. Even though users are load-balanced to WSA appliances by SrcIP, sometimes many users visit same Internet site almost simultaneously and connections are rejected, because this looks like a DoS to the site.

Does anybody know solution for this issue? Round-robin PAT doesn't help, because same sender (same WSA in our case) is always allocated same IP address from the PAT pool:

object-group network WSA-real
network-object host 10.248.0.1
network-object host 10.248.0.2
network-object host 10.248.0.3

object-group network WSA-pool
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object host 192.0.2.3
network-object host 192.0.2.4
network-object host 192.0.2.5
network-object host 192.0.2.6

nat (inside,outside) source dynamic WSA-real pat-pool WSA-pool round-robin

ASA/CONTEXT/sec/act(config)# sh xla
6 in use, 4786 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:03:35 timeout 0:00:00

UDP PAT from inside:10.248.0.1/11113 to outside:192.0.2.1/11113 flags ri idle 0:00:02 timeout 0:01:00
UDP PAT from inside:10.248.0.1/11112 to outside:192.0.2.1/11112 flags ri idle 0:00:08 timeout 0:01:00
UDP PAT from inside:10.248.0.1/11111 to outside:192.0.2.1/11111 flags ri idle 0:00:51 timeout 0:01:00
UDP PAT from inside:10.248.0.3/33333 to outside:192.0.2.3/33333 flags ri idle 0:00:30 timeout 0:01:00
UDP PAT from inside:10.248.0.2/22222 to outside:192.0.2.2/22222 flags ri idle 0:00:38 timeout 0:01:00

MHM Cisco World · ‎08-16-2023

I send you message

balaji.bandi · ‎08-16-2023

Personally i do not think any major website think this is Dos Attack if this is legitimate traffic.

are you sure is this blocked by assume Dos attack or due to TCP connection issue, WSA maximum go upto 44K only rest reserved.

how many users we are considering here ?

You mentioned you have dedicated IP for each WSA (so you have 6 Public IP to NAT ?)

why not NAT using NAT pool for WSA traffic.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tvotna · ‎08-16-2023

Hi @balaji.bandi

See inline.

> are you sure is this blocked by assume Dos attack or due to TCP connection issue, WSA maximum go upto 44K only rest reserved.

Yes.

> how many users we are considering here ?

100,000 or so. There are 12 WSA appliances and each constantly has 25K active TCP connections / xlates passing through the ASA (with per-session PAT enabled)

> You mentioned you have dedicated IP for each WSA (so you have 6 Public IP to NAT ?)

12 currently, but we can allocate more

> why not NAT using NAT pool for WSA traffic

Can you elaborate?

balaji.bandi · ‎08-16-2023

If you have 12 WSA as source and if you have more Public IP Pool - below exmple should work with more range iP - what is the contrains you see here.

bject-group network WSA-real
network-object host 10.248.0.1
network-object host 10.248.0.2
----
network-object host 10.248.0.12  (or more)

object-group network WSA-pool
range 192.168.1.x 192.168.1.15

nat (inside,outside) source dynamic WSA-real WSA-pool

Other Option what we did for one of the ISP

If you more Public IP addreses - make the 4 pool of NAT range

keep changing the NAT policy eveyweek with different Public Range.

some reference :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-basics.html#ID-2090-0000046a

https://netcraftsmen.com/dynamic-pat-cont-with-pools-flat-round-robin-and-extended-pat/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tvotna · ‎08-16-2023

With this configuration in place all WSAs will be translated to the same public IP address, until 64K xlates are allocated. Only after that ASA will move to the next pool IP address. So, when users open many connections to the same site, it will reject incoming connections earlier that with "round-robin". E.g. from the testbed:

object-group network WSA-real
network-object host 10.248.0.1
network-object host 10.248.0.2
network-object host 10.248.0.3

object-group network WSA-pool
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object host 192.0.2.3
network-object host 192.0.2.4
network-object host 192.0.2.5
network-object host 192.0.2.6

nat (inside,outside) source dynamic WSA-real WSA-pool

UDP PAT from inside:10.248.0.1/11111 to outside:192.0.2.1/11111 flags ri idle 0:00:50 timeout 0:01:00
UDP PAT from inside:10.248.0.3/11111 to outside:192.0.2.1/62425 flags ri idle 0:00:06 timeout 0:01:00
UDP PAT from inside:10.248.0.2/11111 to outside:192.0.2.1/39258 flags ri idle 0:00:27 timeout 0:01:00

balaji.bandi · ‎08-16-2023

you are right.. i was reading my config and syntax again.

have you tried this :

https://netcraftsmen.com/dynamic-pat-cont-with-pools-flat-round-robin-and-extended-pat/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tvotna · ‎08-17-2023

@balaji.bandi, thank you for the link. Unfortunately, this article doesn't help solve the problem we have.

balaji.bandi · ‎08-17-2023

apologies that not helped - what problem you facing with the conifg ? is the IP still blocking ?

how many Public IP address you have ? how are you know the people are blocking IP due thinking DoS ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tvotna · ‎08-18-2023

Everything discussed in this article is well-known and I don't see how it can help. I've started this thread from "round-robin" option as the only candidate, but it doesn't help, because of PAT stickiness feature, which cannot be disabled on ASA: so long as you have active PAT translations for an inside IP address x.x.x.x to pool IP y.y.y.y, ASA always allocates new ports from the same pool IP y.y.y.y for new connections from x.x.x.x. It doesn't round-robin. Only when all translations for x.x.x.x expire, it moves to the next pool IP z.z.z.z. In case of WSA all xlates never expire: each of our WSAs has 25K active xlates on ASA constantly.