10-24-2017 08:04 AM - edited 02-21-2020 06:33 AM
We are having an issue with intermittent slowness when accessing load balanced servers behind an F5. I was wondering if anyone could explain why when I use certain types of NAT, the issue is resolved. I've tried every type of NAT there is. When I use a one-to-one static NAT or a twice NAT with equal sized pools, the issue is resolved. Obviously, it is impossible for me to use equal sized pools once I move past my testing phase. Why does twice NAT work better than other types of NAT like object NAT? I'd like to understand the functionality between the two because it makes a difference when accessing the load balanced servers. Because my terminology may not be up to snuff, here's an example of what I understand to be twice NAT and then object NAT. Don't worry that I'm using two private pools. This is just an example.
This works:
object-group network NAT_Pool1
network-object 10.14.24.0 255.255.255.0
object-group network NAT_Pool2
network-object 10.17.90.0 255.255.255.0
nat (INSIDE,outside) 1 source static NAT_Pool1 JNAT_Pool2 destination static Load_Balanced_SRV Load_Balanced_SRV
Object NAT doesn't resolve the issue:
object network NAT_Pool2
range 10.17.90.0 10.17.91.255
nat (INSIDE,outside) 1 source dynamic NAT_Pool1 NAT_Pool2 destination static Load_Balanced_SRV Load_Balanced_SRV
10-24-2017 01:16 PM - edited 10-24-2017 01:20 PM
Hi,
If you want to make a Object NAT i think you have an example here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1836418
Check the example for "Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)".
Not sure if you already have tried that or if this is what you want to accomplish.
br, Micke
10-24-2017 02:57 PM
11-01-2017 06:10 AM
I know how to make the different NAT rules. My question is what is the difference in the functionality on the backend where the load balancing takes place. Why does either a static NAT pool or 1 to 1 NAT work better than the dynamic NAT rules in relation to the load balancing? I am unable to take packet captures on the backside of the F5 where I get any meaningful data or I would try to answer my own question. I did not get an answer to my question on this forum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide