cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Is an extra layer of NAT okay?

dkohring
Beginner
Beginner

We have an ASA going to a router that is connected to two ISP's, but no BGP. The ASA is using PAT with an IP from ISP-1, so even when traffic is routed out to ISP-2, it comes back via ISP-1. Is it okay to do PAT again on the ISP-2 interface, so traffic will come back to this interface?

1 ACCEPTED SOLUTION

Accepted Solutions

David

The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.

HTH

Rick

HTH

Rick

View solution in original post

4 REPLIES 4

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

If the applications work okay with PAT in the first place then there should be no problem with doing PAT on the packet again.

Jon

Yep, that is what I thought also, just wanted to hear others' opinions.

Thanks very much.

David

The voice of experience says it should work ok. I have a customer where we have a very similar situation. The customer traffic passes through a firewall where the addresses are translated using address space from the primary service provider and forwarded to the router with the connections to a couple of service providers. If the traffic is to be forwarded to the second provider then we translate it again. This is working fine for us.

HTH

Rick

HTH

Rick

The issue you may have is how you decide to route traffic out ISP-1 and ISP-2.

If a single user machine could go out either interface and therefore appear on the internet as 2 different source address you may have a issue. For most things there are no issues but one example would be. If traffic to server A goes out isp-1 and natted ip address X and traffic to server B goes out ISP-2 and is natted ip address Y. If the application on server A would authenticate your ip X and then tell server B to allow this ip. When you traffic actually gets to server B using address Y it will be rejected.

To avoid things like this you need to make sure a single inside machine always appears as the same address. It is a little tougher in your case because the router cannot see the original ip that the ASA natted.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: