Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
464
Views
1
Helpful
1
Replies

Twice NAT slowness

Ali Koussan
Level 1
Level 1

ā€Ž09-07-2013 12:51 AM - edited ā€Ž03-11-2019 07:35 PM

Hi,

We have ASA5585 running 8.6 in routed multiple context mode .One of the context has  one inside

and one outside.Users on the inside are in the subnet 10.139.X.X , except 10.139.5.X which used for NAT , on the backbone , we configure static route

to 10.139.5.X pointing to the inside of the firewall.

relevant configuration :

object-group network EMP-SOURCE

network-object 10.139.0.0 255.255.0.0

object network NAT-POOL-EMP-SOURCE

range 10.191.2.5 10.191.2.254

object  network DESTINATION-1

   host 10.139.5.1

object  network DESTINATION-2

   host 10.139.5.2

object  network DESTINATION-3

   host 10.139.5.3

object  network DESTINATION-4

   host 10.139.5.4

object network NAT-DESTINATION-1

host 109.171.192.1

object network NAT-DESTINATION-2

host 109.171.192.2

object network NAT-DESTINATION-3

  host 109.171.192.129

object network NAT-DESTINATION-4

  host 109.171.192.130

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-1 NAT-DESTINATION-1

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-2 NAT-DESTINATION-2

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-3 NAT-DESTINATION-3

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-4 NAT-DESTINATION-4

I was trying to configure a twice nat to achive the follwoing :

users on the inside (10.139.X.X)  when trying to access (10.139.5.X) , the traffic reached to the ASA inside , and twice nat is taking place :

source address (user machine) is nated to a pool of 10.191.2.X

destination address (10.139.5.X) is Nated 109.171.192.X (one to one static nat)

the configuration is working fine with the last two twice nat commands :

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-3 NAT-DESTINATION-3

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-4 NAT-DESTINATION-4

DESTINATION-3 and  DESTINATION-4 are SSH servers , and it works OK

Our problem is with the first two twice nat commands :

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-1 NAT-DESTINATION-1

nat (inside,outside) source dynamic EMP-SOURCE NAT-POOL-EMP-SOURCE destination static DESTINATION-2 NAT-DESTINATION-2

DESTINATION-1 and  DESTINATION-2 are http service (web servers) , the access is very slow and it takes long time to open the main page

and slow when trying to browse any link within the main page.as I stated , browsing is working but extremely slow ..

we did some troubleshooting to confirm that the web server are not having any issues , we bypassed the firewall and the browsing works fine.

as long as passing through the firewall(where twice NAT is configured) the access is very slow ..

Is there any fine tuning we can do to resolve the problem?

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž09-07-2013 10:49 AM

Hello Ali,

Follow the next guide to determine what's going on

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9521.shtml

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card