Solved: NAT Operations question urgent

amanverma · ‎02-07-2018

we are doing an migration so added another inside_2 interface, BGP is running between ASA and routers on both sides.

now there are around 50 Static NAT Twice entry in place with #nat (inside,ouside)

now in migration activity we need to point same nat entry to inside_2 like #nat (inside_2,outside).

I understand that when I will create same NAT rules again with inside_2 interface then they will be placed down in order and will not match because with inside-outside they will match first.

now what we want is that during that activity when BGP points the exit path to inside_2 then NAT should use inside_2 and when BGP points inside as exit then it should use inside. but both interfaces will be up at same time with same security level.

how can I achieve this ? only have CLI access and IP's will remain same.

Francesco Molino · ‎02-07-2018

Hi

Just to be sure, I want to confirm something.

You have 2 interfaces inside and inside_2.

Behind inside you have a host natted on asa for inbound connection, let's say ip 10.100.100.1.

What you're achieving is moving that server behind interface inside_2 keeping same IP.

Am I right?

How you're advertising your network? I mean, on ASA, BGP will learn the full subnet from inside and during your migration, this subnet is gonna be learned behind inside_2?

If so, you can convert all your nat (inside,outside) into nat (any,outside). When your migration is finished, then put all nat back with the right interface nat (inside_2,outside). In that way, nat will be enable for all interfaces and the decision will be made with route-lookup step.

I've done that multiple times for customer migration and didn't get any issues.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-07-2018

Hi