Solved: Help with Slow access or NAT to Inside Interface on ASA 9.1

PNI-ITRNP · ‎05-14-2013

I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.

In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.

Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.

However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.

So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.

Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?

Attached a diagram of what I am currently doing?

Any help is appreciated.

Thanks.

P.S. Addresses in attached picture config are not real, but I know what they translate to.

Jouni Forss · ‎05-14-2013

Hi,

To me you it would seem that you are looking for a NAT configurations something like this

object network SERVER-PUBLIC

host 197.162.127.6

object network SERVER-LOCAL

host 10.0.1.25

nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL

It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.

I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-14-2013

Hi,

To me you it would seem that you are looking for a NAT configurations something like this

object network SERVER-PUBLIC

host 197.162.127.6

object network SERVER-LOCAL

host 10.0.1.25

nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL

It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.

I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Ask more if needed

- Jouni

PNI-ITRNP · ‎05-14-2013

You are the man, this worked like a charm. Major kudos go to you for a quick reply and working solution!

Because this worked, now I have to move on to the next part of my question…

If I use a one-to-one translation in the ASA, access to this web server is slow, now the kicker is, I have other web servers on the ASA using one-to-one NAT translations and they work fine, access is quick.

Why would access via the one-to-one NAT translation be slow, while NATing to the inside interface fast, especially when both are going to the same host?

Jouni Forss · ‎05-14-2013

Hi,

In general I have had no such problems myself. And I cant really say what the reason might be.

Usually problem with NAT is that it doesnt work in any way.

Some problems sometimes relate to more the hosts and their applications which dont like NAT or a particular type of NAT. For example some applications really hate when multiple hosts use a single PAT IP address that is the one IP that the server sees compared to for example a NAT Pool which allocates own IP address for each real IP.

This starts to sound like something that might be good to check with traffic capture. Ofcourse its a completely different thing if they tell us anything.

By the way, I am not sure if I have missed anything about your network setup at the moment. Are you saying that the server we did the "special" NAT for uses another device as its default gateway BUT the rest of the servers use this firewall (with the "special" NAT) as their gateway? Wouldnt they otherwise need the same type of NAT configuration to forward traffic correctly

- Jouni

PNI-ITRNP · ‎05-14-2013

Yes, those hosts would. However, this was a quick test to verify the configuration worked. If I were to leave that NAT rule in I would have issues with the other hosts. As a quick test to the server, access externally to the server was fast, after the test was completed the rule was removed but documented so that I don’t forget it.

This test tells me this configuration would work to resolve the speed issue but doesn’t tell me why it is slow with just a one-to-one translation.