Solved: Re: can we nat single ip to 2 different public ip's

mangesh.kamble · ‎09-16-2010

Dear All,

I have query regarding nat on firewall. I have 2 different provider pools and I have single FW. I want my servers to get natted to these public ip's on ASA. Is there any mechanism using which we can nat this single sever ip to 2 different provider ip address ranges ?

waiting for valuable comments.

Thanks and Regards,

Mangesh.

Marcin Latosiewicz · ‎09-16-2010

Mangesh,

Well there is no problem to do the actual NAT itself to two different interfaces, at least from configuration point of view. (either static or dynamic translations)

Problem is how do you organize the routing. There is no PBR on the ASA. How do you tell traffic to come out through one interface and not the other.

Unless you intend to have only specific destinations available via outside2 and outside1 being your default.

In theory ASA should do per src/dst load balancing of default routes, however I have not tried it out for default routes spread on two different interfaces, but I see no restriction in command reference.

I hope I'm not too cryptic, if there's something not clear let me know,

Marcin

View solution in original post

Marcin Latosiewicz · ‎09-16-2010

Mangesh,

If there is only one interface I would say "no".

The logic ASA is following is to NAT particular host on inside to a host on outside. Rather then logic of translating particular extarnal IP to an IP on inside - that's long story short ;-)

I'm also curious how routing would look like ;-)

Marcin

mangesh.kamble · ‎09-16-2010

Hi Marcin,

Thanks for your reply.

I understood your point so let me frame my question in better way to finalise this discussion.

I am having one inside interface on ASA and I have 2 outside interfaces named outside1 and outside2.

Lets say I have 192.168.10.0/28 subnet to be natted for outside internet access.

So now can I nat this subnet present on inside interface to outside1 and outside2 of single ASA.

Thanks and Regards,

Mangesh.

Marcin Latosiewicz · ‎09-16-2010

Mangesh,

Well there is no problem to do the actual NAT itself to two different interfaces, at least from configuration point of view. (either static or dynamic translations)

Problem is how do you organize the routing. There is no PBR on the ASA. How do you tell traffic to come out through one interface and not the other.

Unless you intend to have only specific destinations available via outside2 and outside1 being your default.

In theory ASA should do per src/dst load balancing of default routes, however I have not tried it out for default routes spread on two different interfaces, but I see no restriction in command reference.

I hope I'm not too cryptic, if there's something not clear let me know,

Marcin

Marcin Latosiewicz · ‎09-16-2010

Mangesh,

A correction on my side. I did a quick lab test - you cannot configure double default out differet interface.

You'll recive this error if you try:

ERROR: Cannot add route entry, conflict with existing routes

(you can still add the route but with a higher metric)

So your best guess is load-balancing per destination or just using another ISP as a fallback. Since ASA is not a load balancer there will always be problem to do this in a scalable way.

Marcin