Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3551
Views
0
Helpful
2
Replies

MS NLB with ASA and Static NAT from PUP to NLB IP

Chris Ivy
Level 1
Level 1

‎01-03-2013 11:27 PM - edited ‎03-11-2019 05:42 PM

Hi all,

I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.

ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.

I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.

192.168.0.50 is the 1st VM

192.168.0.51 is the 2nd VM

192.168.0.52 is the cluster IP for heartbeat

192.168.0.53 is the cluster IP for NLB traffic.

0100.5e7f.0035 is the cluster MAC.

The NLB cluster is using MULTICAST

I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 

For the ASA I found

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249

ASDM

Configuration > Device Management > Advanced > ARP > ARP Static Table

I was able to add my stic ARP just fine.

However, the next step was to enable ARP inspection.

Configuration > Device Management > Advanced > ARP > ARP Inspection

My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.

For the CAT Switch I found

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.

On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.

At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 

So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.

Result of the command: "show run"

: Saved

:

ASA Version 8.4(4)9

!

hostname MP-ASA-1

enable password ac3wyUYtitklff6l encrypted

passwd ac3wyUYtitklff6l encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 198.XX.XX.82 255.255.255.240

!

interface Ethernet0/1

description Root Inside Interface No Vlan

speed 1000

duplex full

nameif Port-1-GI-Inside-Native

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1.2

description Managment LAN 1 for Inside Networks

vlan 2

nameif MGMT-1

security-level 100

ip address 192.168.180.1 255.255.255.0

!

interface Ethernet0/1.3

description Managment LAN 2 for Inside Networks

vlan 3

nameif MGMT-2

security-level 100

ip address 192.168.181.1 255.255.255.0

!

interface Ethernet0/1.100

description Development Pubilc Network 1

vlan 100

nameif DEV-PUB-1

security-level 50

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/1.101

description Development Pubilc Network 2

vlan 101

nameif DEV-PUB-2

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/1.102

description Suncor Pubilc Network 1

vlan 102

nameif SUNCOR-PUB-1

security-level 49

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/1.103

description Suncor Pubilc Network 2

vlan 103

nameif SUNCOR-PUB-2

security-level 49

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa844-9-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Inside-Native-Network-PNAT

subnet 10.1.1.0 255.255.255.0

description Root Inisde Native Interface Network with PNAT

object network ASA-Outside-IP

host 198.XX.XX.82

description The primary IP of the ASA

object network Inside-Native-Network

subnet 10.1.1.0 255.255.255.0

description Root Inisde Native Interface Network

object network VPN-POOL-PNAT

subnet 192.168.100.0 255.255.255.0

description VPN Pool NAT for Inside

object network DEV-PUP-1-Network

subnet 192.168.0.0 255.255.255.0

description DEV-PUP-1 Network

object network DEV-PUP-2-Network

subnet 192.168.2.0 255.255.255.0

description DEV-PUP-2 Network

object network MGMT-1-Network

subnet 192.168.180.0 255.255.255.0

description MGMT-1 Network

object network MGMT-2-Network

subnet 192.168.181.0 255.255.255.0

description MGMT-2 Network

object network SUNCOR-PUP-1-Network

subnet 192.168.3.0 255.255.255.0

description SUNCOR-PUP-1 Network

object network SUNCOR-PUP-2-Network

subnet 192.168.4.0 255.255.255.0

description SUNCOR-PUP-2 Network

object network DEV-PUB-1-Network-PNAT

subnet 192.168.0.0 255.255.255.0

description DEV-PUB-1-Network with PNAT

object network DEV-PUB-2-Network-PNAT

subnet 192.168.2.0 255.255.255.0

description DEV-PUB-2-Network with PNAT

object network MGMT-1-Network-PNAT

subnet 192.168.180.0 255.255.255.0

description MGMT-1-Network with PNAT

object network MGMT-2-Network-PNAT

subnet 192.168.181.0 255.255.255.0

description MGMT-2-Network with PNAT

object network SUNCOR-PUB-1-Network-PNAT

subnet 192.168.3.0 255.255.255.0

description SUNCOR-PUB-1-Network with PNAT

object network SUNCOR-PUB-2-Network-PNAT

subnet 192.168.4.0 255.255.255.0

description SUNCOR-PUB-2-Network with PNAT

object network DEV-APP-1-PUB

host 198.XX.XX.XX

description DEV-APP-2 Public Server IP

object network DEV-APP-2-SNAT

host 192.168.2.120

description DEV-APP-2 Server with SNAT

object network DEV-APP-2-PUB

host 198.XX.XX.XX

description DEV-APP-2 Public Server IP

object network DEV-SQL-1

host 192.168.0.110

description DEV-SQL-1 Inside Server IP

object network DEV-SQL-2

host 192.168.2.110

description DEV-SQL-2 Inside Server IP

object network SUCNOR-APP-1-PUB

host 198.XX.XX.XX

description SUNCOR-APP-1 Public Server IP

object network SUNCOR-APP-2-SNAT

host 192.168.4.120

description SUNCOR-APP-2 Server with SNAT

object network SUNCOR-APP-2-PUB

host 198.XX.XX.XX

description DEV-APP-2 Public Server IP

object network SUNCOR-SQL-1

host 192.168.3.110

description SUNCOR-SQL-1 Inside Server IP

object network SUNCOR-SQL-2

host 192.168.4.110

description SUNCOR-SQL-2 Inside Server IP

object network DEV-APP-1-SNAT

host 192.168.0.120

description DEV-APP-1 Network with SNAT

object network SUNCOR-APP-1-SNAT

host 192.168.3.120

description SUNCOR-APP-1 Network with SNAT

object network PDX-LAN

subnet 192.168.1.0 255.255.255.0

description PDX-LAN for S2S VPN

object network PDX-Sonicwall

host XX.XX.XX.XX

object network LOGI-NLB--SNAT

host 192.168.0.53

description Logi NLB with SNAT

object network LOGI-PUP-IP

host 198.XX.XX.87

description Public IP of LOGI server for NLB

object network LOGI-NLB-IP

host 192.168.0.53

description LOGI NLB IP

object network LOGI-PUP-SNAT-NLB

host 198.XX.XX.87

description LOGI Pup with SNAT to NLB

object-group network vpn-inside

description All inside accessible networks

object-group network VPN-Inside-Networks

description All Inside Nets for Remote VPN Access

network-object object Inside-Native-Network

network-object object DEV-PUP-1-Network

network-object object DEV-PUP-2-Network

network-object object MGMT-1-Network

network-object object MGMT-2-Network

network-object object SUNCOR-PUP-1-Network

network-object object SUNCOR-PUP-2-Network

access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any

access-list outside_access_out remark Block ping to out networks

access-list outside_access_out extended deny icmp any any inactive

access-list outside_access_out remark Allow all traffic from inside to outside networks

access-list outside_access_out extended permit ip any any

access-list outside_access extended permit ip any object LOGI-NLB--SNAT

access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT

access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT

access-list outside_access extended permit ip any object DEV-APP-2-SNAT

access-list outside_access extended permit ip any object DEV-APP-1-SNAT

access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN

pager lines 24

logging asdm informational

mtu outside 1500

mtu Port-1-GI-Inside-Native 1500

mtu MGMT-1 1500

mtu MGMT-2 1500

mtu DEV-PUB-1 1500

mtu DEV-PUB-2 1500

mtu SUNCOR-PUB-1 1500

mtu SUNCOR-PUB-2 1500

mtu management 1500

ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any Port-1-GI-Inside-Native

icmp permit any MGMT-1

icmp permit any MGMT-2

icmp permit any DEV-PUB-1

icmp permit any DEV-PUB-2

icmp permit any SUNCOR-PUB-1

icmp permit any SUNCOR-PUB-2

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias

arp timeout 14400

no arp permit-nonconnected

nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT

nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup

!

object network Inside-Native-Network-PNAT

nat (Port-1-GI-Inside-Native,outside) dynamic interface

object network VPN-POOL-PNAT

nat (Port-1-GI-Inside-Native,outside) dynamic interface

object network DEV-PUB-1-Network-PNAT

nat (DEV-PUB-1,outside) dynamic interface

object network DEV-PUB-2-Network-PNAT

nat (DEV-PUB-2,outside) dynamic interface

object network MGMT-1-Network-PNAT

nat (MGMT-1,outside) dynamic interface

object network MGMT-2-Network-PNAT

nat (MGMT-2,outside) dynamic interface

object network SUNCOR-PUB-1-Network-PNAT

nat (SUNCOR-PUB-1,outside) dynamic interface

object network SUNCOR-PUB-2-Network-PNAT

nat (SUNCOR-PUB-2,outside) dynamic interface

object network DEV-APP-2-SNAT

nat (DEV-PUB-2,outside) static DEV-APP-2-PUB

object network SUNCOR-APP-2-SNAT

nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB

object network DEV-APP-1-SNAT

nat (DEV-PUB-1,outside) static DEV-APP-1-PUB

object network SUNCOR-APP-1-SNAT

nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB

object network LOGI-NLB--SNAT

nat (DEV-PUB-1,outside) static LOGI-PUP-IP

object network LOGI-PUP-SNAT-NLB

nat (outside,DEV-PUB-1) static LOGI-NLB-IP

access-group outside_access in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 198.145.120.81 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 outside

http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native

http 192.168.180.0 255.255.255.0 MGMT-1

http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b

: end

Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 

Thanks,

Chris

Labels:
0 Helpful
2 Replies 2

Chris Ivy
Level 1
Level 1

‎01-03-2013 11:41 PM

Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.

Chris

0 Helpful

Chris Ivy
Level 1
Level 1
In response to Chris Ivy

‎01-04-2013 03:07 AM

Well I fixed it.  The issue was with the NLB method. It was set to ICMP-Multicast.  I changed it to Multicast and updated the static ARP to the new MAC and everything is fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card