We've run into a bit of a pickle and looking for possible solutions to our issue. We run 8.4 which has the NAT dirvert functionality. Below is what were trying to accomplish.
Cisco ASA 5585-60 (8.4)
3 total interfaces
Inbound Interface App_LAN (Apps reside here)
Outbound Interface #1 Inter_DC_Path (Customer servers sit behind this interface)
Outbound Interface #2 Inside_Core (Customer servers sit behind this interface)
We have App servers that need to talk to our customer servers behind both interfaces (InterDC and Inside Core). The customer servers are in the network range of 192.168.0.0/16 and they are split between both interfaces. So Customer A might be on IP 192.168.11.1 behind the Inter_DC_Path and Customer B might be on IP 192.168.12.1 behind the Inside Core interface on the ASA.
Our App servers need to hide behind NAT due to routing restrictions to our customers. Also, the customer IP's are not contiguous so I can't break apart the 192.168.0.0/16 very easily between Inter_DC_Path and Inside Core.
So routing might look like this on the ASA Firewall
route Inter_DC_Path 192.168.11.1 255.255.255.255 172.19.249.254
route Inside_Core 192.168.12.1 255.255.255.255 172.28.222.254
I am looking to put NAT statements that say
Source: Appservers 10.10.10.1 and 10.10.10.2 (behind App_LAN)
Destination: 192.168.0.0 255.255.0.0 (Either egress Inter_DC_Path or Inside Core)
NAT To 172.28.220.2
The issue is that since the destination is 192.168.0.0/16 NAT Divert will send traffic out the wrong interface correct? Is there a way to turn off the NAT direct and allow us to NAT to the 192.168.0.0/16 and allow the firewall routing table to be consulted for egress??
First of all you have 2 servers 10.10.10.1 and 10.10.10.2 which you want to NAT with single public ip 172.28.220.2 , which is not possible unless both the servers are listening on different port (if they listen on different ports we could go ahead and configure port forwarding ) otherwise single public ip could not be statically natted to 2 internal ip's.
- Prateek Verma
While I appreciate the feedback this is not the case. The app servers will be initiating the connection so ports are not a factor here. Sorry if my post seemed confusing there.
Please correct if I am wrong but as I understand it you have no overlap in the actual destination addresses between the 2 interfaces? Only that the the larger network 192.168.0.0/16 is split between the 2 interface with varying size "chuncks" of the whole network?
To my understanding in this situation you would not have to mention the destination address/subnet in the NAT configuration at all and your "route" commands would handle forwarding the traffic where it needs to be forwarded.
On the other hand if same APP servers need different translations towards different customers then I can see your problem. Though in that case I would simply suggest avoid configuring the NAT destination network with such a large network mask. You should then clearly specify the destination hosts which need to be forwarded to each of the interfaces.
The only situation where you can issue the "route-lookup" command to check the routing table seems to be with Static Identity NAT and therefore wouldnt apply to your situation. (If you are doing Dynamic Policy PAT)
Or did I understand something wrong?
You’re understanding of our issue is correct.....
“On the other hand if same APP servers need different translations towards different servers then I can see your problem. Though in that case I would simply suggest avoid configuring the NAT destination network with such a large network mask. You should then clearly specify the destination hosts which need to be forwarded to each of the interfaces”
We want to avoid breaking up the NAT destination network is the issue. If we can simply configure NAT destination to be 192.168.0.0/16 and allow the route table to be consulted we could resolve our issue. It sounds like we might have to do some moving and shifting of interfaces around to resolve our problem. Unless someone has another suggestion at this point.
Again thank you for the post. Jouni.
So would there be a situation where you would be NATing the same APP servers to different NAT IP address while destined to 2 different customers behind the same interface?
Just thinking if you are attempting to simply set the destination network 192.168.0.0/16 in every command then I can't really think how the ASA would make any distinction between which NAT configuration to use.
Considering the above I think the ASA would keep matching the traffic from these source servers (that are same for both customers) to the first NAT configuration where the source matches and therefore the NAT rules for other customers would never be matched.
I am still not sure if I have completely understood the purpose or the reason not to configure separate NAT destination configurations for each customer setup.