06-02-2015 01:35 AM - edited 03-11-2019 11:02 PM
Hi
I am migrating from Watchguard firewalls to ASA 5525x. I have a question around migrating NAT. The new firewalls are sitting alongside the existing watchguard firewalls connected to the same external switch.
So am I right in thinking that I can configure a NAT with the object etc on the new firewall and remove it on the existing firewall to text the NAT works on the new firewalls. Is it necessary to remove it on the existing firewall when configuring on the new.
The existing firewalls are in production so I am thinking in terms of downtime etc.
Thanks
Solved! Go to Solution.
06-02-2015 01:31 PM
It depends on the NAT.
If you are using static NAT statements from the same IP subnet as your outside interface IP then for ASA firewalls at least they use proxy arp to respond to arp requests from the ISP router.
If the Watchguard works on the same principle (and I don't know whether it does or not) then you cannot have them both responsible for the same IP as they will both respond to the arp and it is a lottery as to which one wins.
The additional problem with the above is the ISP router will have an arp entry in it's cache for that IP. If you move it to the new ASA then you would either -
1) have to tell the ISP to clear that entry from their router's arp cache
or
2) wait until it times out before it will work.
All of the above applies to IPs from the same IP subnet as the outside interface IP but not the outside interface IP because that will be probably be used for dynamic PAT for users accessing the internet so the ISPs arp cache is constantly updating.
If the IPs are from a different network altogether and none of the IPs are assigned to any interfaces on the firewall then presumably the ISP will have a route for that subnet pointing to the outside IP of the existing firewall so this may need updating but then you would to need to move the whole subnet at once really.
The final possibility is if the IPs are from a different network ie. not assigned to any interfaces but the ISP relies on proxy arp again to resolve them.
Same issues with arp cache as before and with the ASA you may also need to allow proxy arp for non connected networks.
Difficult to be precise without knowing exactly what you are using.
Jon
06-02-2015 01:31 PM
It depends on the NAT.
If you are using static NAT statements from the same IP subnet as your outside interface IP then for ASA firewalls at least they use proxy arp to respond to arp requests from the ISP router.
If the Watchguard works on the same principle (and I don't know whether it does or not) then you cannot have them both responsible for the same IP as they will both respond to the arp and it is a lottery as to which one wins.
The additional problem with the above is the ISP router will have an arp entry in it's cache for that IP. If you move it to the new ASA then you would either -
1) have to tell the ISP to clear that entry from their router's arp cache
or
2) wait until it times out before it will work.
All of the above applies to IPs from the same IP subnet as the outside interface IP but not the outside interface IP because that will be probably be used for dynamic PAT for users accessing the internet so the ISPs arp cache is constantly updating.
If the IPs are from a different network altogether and none of the IPs are assigned to any interfaces on the firewall then presumably the ISP will have a route for that subnet pointing to the outside IP of the existing firewall so this may need updating but then you would to need to move the whole subnet at once really.
The final possibility is if the IPs are from a different network ie. not assigned to any interfaces but the ISP relies on proxy arp again to resolve them.
Same issues with arp cache as before and with the ASA you may also need to allow proxy arp for non connected networks.
Difficult to be precise without knowing exactly what you are using.
Jon
06-03-2015 12:57 AM
You can't run two devices with same IP address.
You either remove the Watchguard or assign a new IP address.
06-03-2015 01:43 AM
Thanks for the response guys and great explanation by Jon. l have to pick a change window to move the NATS I supppose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide