Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
0
Helpful
3
Replies

Difference in Functionality between types of NAT

Teresa.A.Strickland
Level 1
Level 1

‎10-24-2017 08:04 AM - edited ‎02-21-2020 06:33 AM

We are having an issue with intermittent slowness when accessing load balanced servers behind an F5. I was wondering if anyone could explain why when I use certain types of NAT, the issue is resolved. I've tried every type of NAT there is. When I use a one-to-one static NAT or a twice NAT with equal sized pools, the issue is resolved. Obviously, it is impossible for me to use equal sized pools once I move past my testing phase. Why does twice NAT work better than other types of NAT like object NAT? I'd like to understand the functionality between the two because it makes a difference when accessing the load balanced servers. Because my terminology may not be up to snuff, here's an example of what I understand to be twice NAT and then object NAT. Don't worry that I'm using two private pools. This is just an example.

This works:

object-group network NAT_Pool1
 network-object 10.14.24.0 255.255.255.0
object-group network NAT_Pool2
 network-object  10.17.90.0 255.255.255.0

nat  (INSIDE,outside) 1 source static NAT_Pool1 JNAT_Pool2 destination static Load_Balanced_SRV Load_Balanced_SRV

 

Object NAT doesn't resolve the issue:

 object network NAT_Pool2
 range 10.17.90.0 10.17.91.255
nat (INSIDE,outside) 1 source dynamic  NAT_Pool1 NAT_Pool2 destination static Load_Balanced_SRV Load_Balanced_SRV

Labels:
0 Helpful
3 Replies 3

mikael.lahtela
Level 4
Level 4

‎10-24-2017 01:16 PM - edited ‎10-24-2017 01:20 PM

Hi,

If you want to make a Object NAT i think you have an example here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1836418

Check the example for "Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)".
Not sure if you already have tried that or if this is what you want to accomplish.

br, Micke

0 Helpful

Teresa.A.Strickland
Level 1
Level 1
In response to mikael.lahtela

‎10-24-2017 02:57 PM

Regardless of the terminology, the first example, static twice nat with pools the same size, works. The second example, dynamic objects with ranges, provides bad performance with the load balanced servers.



I need to understand the functionality of each in relation to load balancing. For example, I know the first rule is basically the same as a static nat. Although I didn't see any evidence of my tester using more than one IP address when configured with the second example, the performance became slow again. Is there a difference in the way the ports behave or do the connections die off sooner? If you can point me to more indepth documentation or explain, I would appreciate it.


0 Helpful

Teresa.A.Strickland
Level 1
Level 1
In response to Teresa.A.Strickland

‎11-01-2017 06:10 AM

I know how to make the different NAT rules. My question is what is the difference in the functionality on the backend where the load balancing takes place. Why does either a static NAT pool or 1 to 1 NAT work better than the dynamic NAT rules in relation to the load balancing? I am unable to take packet captures on the backside of the F5 where I get any meaningful data or I would try to answer my own question. I did not get an answer to my question on this forum.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card