Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
9
Replies

nat 0 on outside interface

jrchgtrrz
Level 1
Level 1

‎11-12-2004 09:02 AM - edited ‎03-09-2019 09:25 AM

We are using 2 full unrestricted licensed PIX525s which are load balanced in a sandwiched config:

public traffic ---> external load balancer ---> PIX525 farm ---> internal load balancer ---> server farm

my question is: i need to pass traffic from the external load balancer to the internal load balancer, such that the source and destination IPs of the load balancers do not change. For traffic originating from the external LB, do I use nat 0 on the outside in this case? Or is it better to use a one-to-one static on the outside?

I tried nat (Outside) 0 and it seemed to work, but I get a warning on boot:

WARNING: Binding inside nat statement to outermost interface.

Any help would be appreciated.

Thanks

- Jericho

Labels:
0 Helpful
9 Replies 9

scoclayton
Level 7
Level 7

‎11-12-2004 09:34 AM

I would be curious to see exactly what you are doing as I would not have suggested nat (outside) 0 as an option.

The thing to remember, is that translation are bi-directional and they are needed to pass traffic from hosts on one interface to another. In this case, I would suggest either a static traslation or a nat (inside) 0 ACL. Here is an example of the static I would suggest:

static (inside,outside) 10.1.1.1 10.1.1.1

where 10.1.1.1 was the IP address of your internal LB

Along with the proper ACL's, the above would allow the external LB to access the internal LB via the 10.1.1.1 address. The source IP of the external LB would *not* be translated.

An example of the nat (inside) 0 ACL would be as follows:

access-list nonat permit ip host 10.1.1.1 host 10.2.1.1

nat (inside) 0 access-list nonat

where 10.1.1.1 is your internal LB and 10.2.1.1 is your external LB.

This statement allows 10.2.1.1 (and only this address) to access the internal LB via the 10.1.1.1 address. As you can see, the nat (inside) 0 ACL gives you a little more control over the source and destination of the packets.

Make sense?

Scott

0 Helpful

jrchgtrrz
Level 1
Level 1
In response to scoclayton

‎11-12-2004 11:40 AM

Scott -

Thanks for the suggestions. We are doing firewall load balancing and need to pass traffic between the load balancers such that the IPs are untranslated. If using the 1-to-1 static on the outside is the recommended method, we'll try that. Is there any potential for problems with using nat 0 on the outside for those specific IPs? It seemed to work under light load tests, but I'm wondering about long-term stability.

- Jericho

0 Helpful

scoclayton
Level 7
Level 7
In response to jrchgtrrz

‎11-14-2004 06:09 PM

I still don't see how a nat (outside) would work in this situation so I'm not sure how to answer you. Can you share your config so that I can take a look?

Scott

0 Helpful

jrchgtrrz
Level 1
Level 1
In response to scoclayton

‎11-15-2004 08:28 AM

See attached.

Preview file
6 KB
0 Helpful

davecs
Level 1
Level 1
In response to jrchgtrrz

‎11-16-2004 07:59 PM

hi mate,

why are you load balancing the PIX's?

the only reason i can think of is so you cna have active/active scenario?

i would consider dropping that idea - puting them in a failover situation and only running 1 set of LB's.

cheers

dave

0 Helpful

jrchgtrrz
Level 1
Level 1
In response to davecs

‎11-17-2004 10:26 AM

In fact, we are doing an active/active config. The only reason we are doing so is because we are replacing our existing CheckPoint firewalls (which were already in place in an active-active config). We would like to simplify things and use your suggestion, but this is the first step to get there.

0 Helpful

davecs
Level 1
Level 1
In response to jrchgtrrz

‎11-17-2004 03:31 PM

hi,

ok thats what i thought.

if you want to end up with a failover situation rather than an active/active i would plan it and implement now - rather than putting the PIXies in active/active and then move to failover.

OR

you could wait for V7.0 of PIX to comeout and then you can run active/active failover :)

0 Helpful

jrchgtrrz
Level 1
Level 1
In response to davecs

‎11-17-2004 04:26 PM

i would like to do so, but the "powers that be" would like to take smaller steps. thats where we are today. any thoughts on whether my usage of nat 0 on the outside is ok? from what i gather, the Cisco-approved way to do this is use nat 0 when going from inside-to-outside and use a 1-to-1 static when going from outside-to-inside.

0 Helpful

davecs
Level 1
Level 1
In response to jrchgtrrz

‎11-17-2004 05:04 PM

hrmm i know that feeling - perhaps you can convince them that this is a smaller step!

if you cant what you will need todo is:

1) configure both PIX's as independant - obviously only 1 will be the default GW for the network + make sure there are no IP overlaps

2) dont use nat on the outside interface as thats not how the PIX works.

3) setup 2 statics for the 1->1 mapping on each PIX and then LB to these 2 statics.

I think thats all you need todo @ a high level.

do you need to know anything else?

0 Helpful
Customers Also Viewed These Support Documents