02-07-2018 12:28 PM - edited 02-21-2020 07:18 AM
we are doing an migration so added another inside_2 interface, BGP is running between ASA and routers on both sides.
now there are around 50 Static NAT Twice entry in place with #nat (inside,ouside)
now in migration activity we need to point same nat entry to inside_2 like #nat (inside_2,outside).
I understand that when I will create same NAT rules again with inside_2 interface then they will be placed down in order and will not match because with inside-outside they will match first.
now what we want is that during that activity when BGP points the exit path to inside_2 then NAT should use inside_2 and when BGP points inside as exit then it should use inside. but both interfaces will be up at same time with same security level.
how can I achieve this ? only have CLI access and IP's will remain same.
Solved! Go to Solution.
02-07-2018 06:15 PM
Hi
Just to be sure, I want to confirm something.
You have 2 interfaces inside and inside_2.
Behind inside you have a host natted on asa for inbound connection, let's say ip 10.100.100.1.
What you're achieving is moving that server behind interface inside_2 keeping same IP.
Am I right?
How you're advertising your network? I mean, on ASA, BGP will learn the full subnet from inside and during your migration, this subnet is gonna be learned behind inside_2?
If so, you can convert all your nat (inside,outside) into nat (any,outside). When your migration is finished, then put all nat back with the right interface nat (inside_2,outside). In that way, nat will be enable for all interfaces and the decision will be made with route-lookup step.
I've done that multiple times for customer migration and didn't get any issues.
02-07-2018 06:15 PM
Hi
Just to be sure, I want to confirm something.
You have 2 interfaces inside and inside_2.
Behind inside you have a host natted on asa for inbound connection, let's say ip 10.100.100.1.
What you're achieving is moving that server behind interface inside_2 keeping same IP.
Am I right?
How you're advertising your network? I mean, on ASA, BGP will learn the full subnet from inside and during your migration, this subnet is gonna be learned behind inside_2?
If so, you can convert all your nat (inside,outside) into nat (any,outside). When your migration is finished, then put all nat back with the right interface nat (inside_2,outside). In that way, nat will be enable for all interfaces and the decision will be made with route-lookup step.
I've done that multiple times for customer migration and didn't get any issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide