Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
5
Helpful
3
Replies

Moving NATS from firewalls

Go to solution
Mokhalil82
Level 4
Level 4

‎06-02-2015 01:35 AM - edited ‎03-11-2019 11:02 PM

Hi

I am migrating from Watchguard firewalls to ASA 5525x. I have a question around migrating NAT. The new firewalls are sitting alongside the existing watchguard firewalls connected to the same external switch. 

So am I right in thinking that I can configure a NAT with the object etc on the new firewall and remove it on the existing firewall to text the NAT works on the new firewalls. Is it necessary to remove it on the existing firewall when configuring on the new.

The existing firewalls are in production so I am thinking in terms of downtime etc.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-02-2015 01:31 PM

It depends on the NAT.

If you are using static NAT statements from the same IP subnet as your outside interface IP then for ASA firewalls at least they use proxy arp to respond to arp requests from the ISP router.

If the Watchguard works on the same principle (and I don't know whether it does or not) then you cannot have them both responsible for the same IP as they will both respond to the arp and it is a lottery as to which one wins.

The additional problem with the above is the ISP router will have an arp entry in it's cache for that IP. If you move it to the new ASA then you would either -

1) have to tell the ISP to clear that entry from their router's arp cache

or

2) wait until it times out before it will work.

All of the above applies to IPs from the same IP subnet as the outside interface IP but not the outside interface IP because that will be probably be used for dynamic PAT for users accessing the internet so the ISPs arp cache is constantly updating.

If the IPs are from a different network altogether and none of the IPs are assigned to any interfaces on the firewall then presumably the ISP will have a route for that subnet pointing to the outside IP of the existing firewall so this may need updating but then you would to need to move the whole subnet at once really.

The final possibility is if the IPs are from a different network ie. not assigned to any interfaces but the ISP relies on proxy arp again to resolve them.

Same issues with arp cache as before and with the ASA you may also need to allow proxy arp for non connected networks.

Difficult to be precise without knowing exactly what you are using.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-02-2015 01:31 PM

It depends on the NAT.

If you are using static NAT statements from the same IP subnet as your outside interface IP then for ASA firewalls at least they use proxy arp to respond to arp requests from the ISP router.

If the Watchguard works on the same principle (and I don't know whether it does or not) then you cannot have them both responsible for the same IP as they will both respond to the arp and it is a lottery as to which one wins.

The additional problem with the above is the ISP router will have an arp entry in it's cache for that IP. If you move it to the new ASA then you would either -

1) have to tell the ISP to clear that entry from their router's arp cache

or

2) wait until it times out before it will work.

All of the above applies to IPs from the same IP subnet as the outside interface IP but not the outside interface IP because that will be probably be used for dynamic PAT for users accessing the internet so the ISPs arp cache is constantly updating.

If the IPs are from a different network altogether and none of the IPs are assigned to any interfaces on the firewall then presumably the ISP will have a route for that subnet pointing to the outside IP of the existing firewall so this may need updating but then you would to need to move the whole subnet at once really.

The final possibility is if the IPs are from a different network ie. not assigned to any interfaces but the ISP relies on proxy arp again to resolve them.

Same issues with arp cache as before and with the ASA you may also need to allow proxy arp for non connected networks.

Difficult to be precise without knowing exactly what you are using.

Jon

0 Helpful

Go to solution
Rejohn Cuares
Level 4
Level 4

‎06-03-2015 12:57 AM

You can't run two devices with same IP address.

You either remove the Watchguard or assign a new IP address.

Please rate replies and mark question as "answered" if applicable.

Go to solution
Mokhalil82
Level 4
Level 4

‎06-03-2015 01:43 AM

Thanks for the response guys and great explanation by Jon. l have to pick a change window to move the NATS I supppose

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card