01-25-2013 02:54 AM - edited 03-11-2019 05:52 PM
Hi there.
I believe its possible to mimic some of the functionality of PBR using NAT.
I've found this example which seems like it would logically work for the old NAT statements.
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside1 0.0.0.0 0.0.0.0 193.168.1.1 2
nat (inside) 1 0 0
global (outside) 1 interface
global (outside1) 1 interface
static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (outside1,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0
Is this solution a valid workaround for the new NAT statements of 8.4 and above?
I've tried to get it working but without success so far.
What I would like to do is push web traffic via one ISP and SMTP via another, but so far when I check which IP i'm connecting as at the other end i'm still coming from the default.
Has anyone made this work on 8.4 +?
Thanks.
Mike
01-25-2013 03:18 AM
Using the packet tracer I can see that the route-lookup is occuring first and it is not basing its decision on the destination NAT rule.
I thought that the route-lookup command needed to be run for this to happen, but I can confirm it has not been run....
01-25-2013 03:31 AM
Hi,
Not exactly what you are looking for but thought I'd still mention.
The only enviroment where I have actually succesfully configured overlapping networks or "a type of PBR" with a single ASA is with an ASA that is only serving VPN Client connectivity.
I used 8.4(x) software and used NAT to determine the ingress and eggress interface for traffic (As I knew both the source and destination of the traffic this was easy). It also seemed setting the "Vlan value" under the Group-policy handled choosing the eggress interface as the VPN Client users traffic was coming to the ASA from the tunnel.
After this it was only matter of configuring routes with different metrics towards the subinterfaces
This seemed to work just fine but rather than manage such an environment with a nightmarish NAT and route configuration I'm still waiting for the decision if we are going to get an Cisco IOS device instead to handle this.
At the moment I'd rather use a IOS device to do any PBR if needed.
- Jouni
01-25-2013 03:43 AM
I've seen many examples of people saying they have this working using the old nat commands.
And indeed the CLI doc implies that if you have a NAT rule in place and specify an interface then it uses the NAT interface for egress automatically.
"If you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup instead."
I'm pretty sure if can work i'm just missing a command to skip the route-lookup first...
01-25-2013 03:59 AM
Hi,
This is from 8.4(2) Release notes (Had to check as theres been some changes all throughout 8.4 software level in the minor updates)
According to the above if you have 8.4(1) for example "route-lookup" is always active. And from 8.4(2) onwards the default behaviour should be that "route-lookup" is disabled and NAT handles the ingress/eggress decision.
What software level are you using? What kind of NAT configurations have you used to try this out?
Guess I might be able to try this out at home with my own ASA later. But until that I cant really say as I havent tried this or have not had the need to do this functionality on an ASA.
- Jouni
01-25-2013 04:42 AM
Its acutally 8.6 so i've been working on the above 8.4(1) logic...
As far as I can see route-lookup should not be used where a specific NAT is in place but I can't get it to work that way
01-25-2013 04:52 AM
Hi,
I'll let you know about the results if I get to test this out. Can you share any configurations and "packet-tracer" outputs on the things you have tried so far for me to compare to if I get to test this out?
Dont know if I will have time on the weekend and next week I will be at Cisco Live! 2013 London
- Jouni
01-25-2013 10:38 AM
If anyone else has any ideas on destination NAT to force traffic out of a partuclar outside interface regardless of routes..... I keep seeing hints that its possible but can't quite get it working....
01-26-2013 06:00 AM
Hi,
So I did a very simple test on my home ASA 5505 running 9.1(1) (Base License)
Heres my basic configuration
Some notes
INTERFACES
interface Vlan1
description LAN
nameif LAN
security-level 100
ip address 10.0.10.2 255.255.255.0
!
interface Vlan10
description WAN
nameif WAN
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan20
no forward interface Vlan1
nameif WAN-SEC
security-level 50
ip address 10.10.234.1 255.255.255.0
ROUTES
route WAN 0.0.0.0 0.0.0.0 y.y.y.y 1
route WAN-SEC 0.0.0.0 0.0.0.0 10.10.234.2 2
NAT OBJECTS
object service WWW
service tcp destination eq www
object service SMTP
service tcp destination eq smtp
NAT CONFIGURATIONS
nat (LAN,WAN) source dynamic any interface service WWW WWW
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
!
!
nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface
PACKET-TRACER OUTPUT
WWW-TRAFFIC
ASA(config)# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic any interface service WWW WWW
Additional Information:
NAT divert to egress interface WAN
Untranslate 1.2.3.4/80 to 1.2.3.4/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic any interface service WWW WWW
Additional Information:
Dynamic translate 10.0.0.100/1025 to x.x.x.x/1025
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic any interface service WWW WWW
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 112793, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow
SMTP TRAFFIC
ASA# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
Additional Information:
NAT divert to egress interface WAN-SEC
Untranslate 1.2.3.4/25 to 1.2.3.4/25
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
Additional Information:
Dynamic translate 10.0.0.100/1025 to 10.10.234.1/1025
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 112797, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN-SEC
output-status: up
output-line-status: up
Action: allow
This was the only setup I could get the "packet-tracer" output seem what its "supposed" to show when the traffic would leave to different WAN interface.
Hopefully you can get something out of this. I wont be able to proper lab this unless I use equipment and WAN connections at my work. But that wont happen until maybe after a week or so.
Let me know if you have already tried this and it doesnt work. And also if you havent yet tried it let me know did it help at all.
- Jouni
07-11-2013 01:20 PM
Thanks for the effort on this, it really helped to point me in the right direction. I tried it out and it was not working because even though it gets sent to the interface properly it looks for a route once it gets to that interface and fails. I was able to set the default route pointing out the WAN-SEC interface and then put the below routes pointing out the WAN interface.
route WAN 0.0.0.0 128.0.0.0 10.2.101.1 1
route WAN 128.0.0.0 128.0.0.0 10.2.101.1 1
Since they are more specific normal traffic flows out the WAN interface while the NAT'd traffic is sent out the other interface. I confirmed it is working using packet captures.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide