Solved: Re: ASA 8.3 NAT Issue - Page 3

Dan Jay · ‎12-09-2011

Dear all,

I'm at my wits end, perhaps someone can take a moment to look into this.

I want to NAT one ( ! ) single inside host on a different WAN/ ISP interface ( of which I have two ) .

The first one is a /29 - adressed static SDSL 2,3 MBit link, the 2nd one a 16MBit ADSL line with one static IP. Both interfaces are DIFFERENT carriers ( Versatel = ifname outside and Ecotel =ifname ecotel ).

( The SDSL line is used to NAT/PAT all other hosts except the one in question. )

( Inside Userland is 172.16.0.0/24 and 192.168.20.0/24. )

Both lines are firing on all cylinders, but I can't get any traffic through the ecotel ADSL interface from the client in question.

The SDSL line works as expected.

Routing is:

C 172.16.0.0 255.255.0.0 is directly connected, inside

S 192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside

C 213.138.48.24 255.255.255.252 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )

I added a 2nd default route with metric 2 pointing to the 2nd ISP, resulting in:

out 0.0.0.0 0.0.0.0 via [pppOE ServerIP according to debug output] , ecotel

interface Ethernet0/2

description Uplink Ecotel

nameif ecotel

security-level 0

pppoe client vpdn group ecotel

ip address pppoe

object network SC

host 192.168.20.4

description SC

object network SC

nat (inside,ecotel) dynamic interface dns

The packet tracer routes a simulated packet from the SC Object via inside to outside....

Can someone shed some light on this ?

Garry Cross · ‎12-13-2011

For John's question... As you can see from the show nat the ASA has reordered the object nat (section 2). I would have to refer to the config guide but in a nutshell it reorders them in a combiination of low to high and most specific to less specific or something to that effect. For the more specific to less specific order is one of the criteria. According to above there are 0 translate hits for the nat that we are discussing. Also note that it is in position 5 and network test is in position 11. This would make it match before the object test.

So now I am wondering what the actual definition of the objects is. Is [PUBLIC IP] different in each instance?

Looking back through the very first post, I do not see the ecotel network in the output of show route. This indicates to me that it is not up. If the interface is not up, then I am guessing the ASA will ignore the match and look for something else that matches.

Routing is:

C 172.16.0.0 255.255.0.0 is directly connected, inside

S 192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside

C 213.138.48.24 255.255.255.252 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )

There is something else incorrect. Your outside interface is not in the same network as your default gateway.

Also the following is not a result of a ping test.

sho capt test:

1: 14:52:10.230777 PPPoE Session ID 5346 len 10 PPP LCP: Echo Request

2: 14:52:10.238085 PPPoE Session ID 5346 len 10 PPP LCP: Echo Reply

They are keepalives for the pppoe protocol. There was some discussion earlier on about DHCP. This interface is getting its ip address via pppoe. Now we need to investigate this part of the config. I have never delt with an ASA that was using pppoe to get it's ip and so am not familiar with troubleshooting or configuring this.

Garry Cross · ‎12-13-2011

I don't know if this is relevant or not.

Note If PPPoE is enabled on two interfaces (such as a primary and backup interface), and you do not configure dual ISP support (see the "Monitoring a Static or Default Route" section on page 22-6), then the ASA can only send traffic through the first interface to acquire an IP address.

Cheers.

JohnTylerPearce · ‎12-13-2011

You have a very good point Gary.

route outside 0.0.0.0 0.0.0.0 213.138.48.1 1

C 213.138.48.24 255.255.255.252 is directly connected, outside

Accoridng to these statements above. your default route is not on the same network as the outside interface.

Outside Network -> 213.138.48.24/30 You really only get 25/26 for usable addresses.

Gary, if you were seeing a successful ping test would you see NCP: Echo Request/Reply from PPPoe?

Garry Cross · ‎12-13-2011

I expect you might see NCP packets in the capture. As I stated, I have never worked on an ASA using pppoe. I even have to refresh my knowledge of PPP.

Dan Jay · ‎12-13-2011

The Public IPs are all different ( static nat for various hosts /w different services applied ) .

The line protocol is indeed up ( ecotel interface with our IP is pingable from outside on a dedicated test system )

213.138.48.1 is the SDSL provider gateway of which we were notified when the line went live 10 years ago with no change.

213.138.48.24 is obviously some remote peer to our ASA. ( The .24 is not configured on any system here. )

Our IP range is /29.

I added the ecotel route /w metric 2 but it did not show up in the routing table; I need to issue the asp show table routing command to make it visible:

out 0.0.0.0 0.0.0.0 via 195.52.218.239, ecotel

Garry Cross · ‎12-13-2011

Routing is:

C 172.16.0.0 255.255.0.0 is directly connected, inside

S 192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside

C 213.138.48.24 255.255.255.252 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )

C at the beginning means it is a connected route and is a /30 subnet. Your ip will be either .25 or .26.

show ip will show the actual ip's of your interfaces.

I expect you just have the wrong mask on your outside interface.

If I was guessing you probably should have a /27 mask.

This is just a side issue and not related to the problem being discussed.

Let's explore how your two outside interfaces are configured.

show run interface

JohnTylerPearce · ‎12-13-2011

It's not going to show up in the routing table, because the ASA isn't going to add it to the RIB, since it has a higher administrative distance.

Dan Jay · ‎12-13-2011

interface Ethernet0/0

description Uplink Versatel SDSL

speed 10

nameif outside

security-level 0

ip address [PUBLIC] 255.255.255.252

!

interface Ethernet0/1

description Uplink DMZ Net 172

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.1.111 255.255.0.0

!

interface Ethernet0/2

description Uplink ADSL ecotel

nameif ecotel

security-level 0

pppoe client vpdn group ecotel

ip address pppoe

!

interface Ethernet0/3

shutdown

sho vpdn group ecotel

vpdn group ecotel request dialout pppoe

vpdn group ecotel localname [... ]

Garry Cross · ‎12-13-2011

Wow a light bulb just clicked on. John said it. If the ASA were to translate the source to the ecotel interface ip, it would not have a route to send the traffic to after doing so.

In my opinion, you cannot do what you want to do. You have to find a different way to split the load.

eg: route 0.0.0.0 128.0.0.0 outside

route 128.0.0.0 128.0.0.0 ecotel

I don't even know if thats going to work.

Dan Jay · ‎12-13-2011

Makes me wonder why I then would want to have multiple interfaces if I cannot determine different paths.

I understand that the ASA is a firewall first and a router second.

My point is:

I first do a NAT statement which I can issue with at least some granularity, that is, stating explicitly where I want traffic to go, but I then, need a route to that target network which is in turn overwritten by a lower metric one. How interesting is that ?

I wonder if I should add a 3rd FastEthernet interface on the 2611XM to get it done.

JohnTylerPearce · ‎12-13-2011

Well if there is a vlan interface on the 2611 for the internal network you can add another interface and run PBR if the IOS supports it, BUT it will need to have a directly connected network for the next-hop you specify in the PBR.

Dan Jay · ‎12-13-2011

My Plan would be a s follows:

The 2611 has a 12.2(8)T8 on it /w pppoE support. Currently I got some old 4-BRI N/M in there along with some really old analog modem WIC ( dating back from the leather boot days, y' know...). I'd grab an NM-4E off eBay, put it in and fire it up.

1st Interface ( ex Works ) connects to 192.168.20.0/24

2nd Interface ( ex Works ) connects to 172.16.0.0/16

3rd ( new N/M ) Interface would connect to the ADSL line with the WAN IP resulting in the ecotel net being directly linked to the 2611.

So, if I'm right, I'd be able to "vacuum" the host in question and NAT it via the new interface, right ?

Garry Cross · ‎12-13-2011

You will have the same issue on the 2611. It can only have one default route. In this case PBR will definitly be required, and in the event of failure of that ISP, you will be down.

Dan Jay · ‎12-13-2011

Sure, I'd need to PBR the traffic in question, that's what I meant by "vacuuming".

I know that we'll be down in this case and that ISP failover is something different ( which we do not need ).

It's all about the :80 traffic which I want to separate.

As I can use PBR on the 2611 /w direct link to ecotel ( cannot do both on the ASA ) I am guessing doing this there will do the job, doesn't it ?

JohnTylerPearce · ‎12-13-2011

That should do the job. In that we you can PBR all the data from the Proxy to the internet.

But, as Garry said, you will run into redundancy issues if an ISP link goes down, for

instance if the ecotel ISP goes down, then you would be down and out, unless you just disabled

the PBR from the vlan interface and allows it to route as usual but that wouldn't be automatic.