cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1298
Views
0
Helpful
15
Replies

NAT/PAT PBR Deployment from ASA to SG500X

fbeye
Level 4
Level 4

Test

 

NAT + PBR Deployment

 

Hello. So I have nothing to post as this is a theory and a question on its legitimacy, as in, can it be done this way or what better way.

 

ASA 5508-X w/ 6 Usable Static IP’s

  x.x.x.182 (ASA WAN)

  x.x.x.177

  x.x.x.178

  x.x.x.179

  x.x.x.180

  x.x.x.181




SG550X

  LAN 192.168.5.0

      192.168.5.2 - 192.168.5.100 PBR to use x.x.x.182 WAN IP (Range)

      192.168.5.177 PBR to use x.x.x.177 WAN IP ( 1 to 1 )

      192.168.5.178 PBR to use x.x.x.178 WAN IP ( 1 to 1 )

      192.168.5.179 PBR to use x.x.x.179 WAN IP ( 1 to 1 )

      192.168.5.180 PBR to use x.x.x.180 WAN IP ( 1 to 1 )

      192.168.5.181  PBR to use x.x.x.181 WAN IP ( 1 to 1 )


My question is how many Networks from ASA to SG would I need? I mean to use PBR I need an interface on SG to be an IP as a next hop to the ASA. Do I need 1 network per PBR or an IP for each PBR from the same Network on the ASA.

For example, I assume each PBR needs its own Interface IP for next hope or else why even have PBR.

Would x.x.x.182 use 192.168.1.0 to reach SG, x.x.x.177 use 192.168.2.0 to reach SG, x.x.x.178 use 192.168.3.0 and so on? Or could all of this be done with one Network from ASA to SG and use NAT/PAT on ASA. This is where I start to get confused.

 

 

Among all of my gibberish. This stands true and the point;

Really to simplify, I want everything on my entire Network to be on 192.168.5.0, but the Specific IP’s and IP Ranges to go to their correct WAN IP’s as mentioned above under SG550X.

 

1 Accepted Solution

Accepted Solutions

For this to work you will need at least one PBR. My comment was that you do not necessarily need two PBR (though two PBR would work and some people might prefer to see explicit routing for both).

HTH

Rick

View solution in original post

15 Replies 15

Richard Burts
Hall of Fame
Hall of Fame

I do not understand your question. And am puzzled ab out what you are trying to accomplish in this theory. When we talk about using PBR it generally means that we want to apply some routing logic for most of the devices in the subnet and to apply different routing logic for some devices. But in your description all of the devices will use the same routing logic with the ASA as the next hop. So what is the point in PBR?

What it sounds like is that you want some devices to use a different Public IP when they access the Internet. And that does not use PBR but does use NAT. So I think what you are really looking for is for the ASA to have a dynamic NAT for most devices in the subnet and to have static NAT for the 5 devices. 

If my understanding is not correct then please provide clarification.

HTH

Rick

Alright that makes sense. This would more so be, as you said, Dynamic NAT (Range) and Static NAT (for 5 devices). I am just unsure how to deploy that. Being the ASA Interfaces are independent I know I would need a Switch (SG550X).

 

The deployment seems fairly straight forward. It seems perhaps that you are assuming that you need to assign each IP to an interface? That is not the case. You would assign one of the IP to the outside interface. You would configure dynamic NAT for Inside going to Outside using the IP of the Outside interface. Then you would configure 5 static NAT statements to translate a particular outside IP to a particular inside IP. No need for each Public IP to be assigned to an interface.

HTH

Rick

Hello,

 

the below should work:

 

object network 192_168_5_2_100
range 192.168.5.2 192.168.5.100
nat (inside,outside) static x.x.x.182
!
object network Host_192_168_5_177
host 192.168.5.177
nat (inside,outside) static x.x.x.177
!
object network Host_192_168_5_178
host 192.168.5.178
nat (inside,outside) static x.x.x.178
!
object network Host_192_168_5_179
host 192.168.5.179
nat (inside,outside) static x.x.x.179
!
object network Host_192_168_5_180
host 192.168.5.180
nat (inside,outside) static x.x.x.180
!
object network Host_192_168_5_181
host 192.168.5.181
nat (inside,outside) static x.x.x.181

fbeye
Level 4
Level 4

Hello

 

I thank you both for your responses.

I do have to day though that the core of my question (intentionally) has changed. Under assumed circumstances it is correct, I would not need PBR because it is one Subnet from the ASA and PAT then Static NAT would suffice. And then the affirmation of rules was appreciated and it actually cleaned up something else I had in mind.

I want to reiterate though that the 192.168.5.0 Network, on the SG550X, can not be directly related to the ASA.

ASA is as I mentioned 6 Static WAN IP's.

The SG needs it's own Network to have ALL devices on the Same LAN, which to this step is what we are all assuming. But coming later is another WAN completely and I need those devices from a completely different Internet and Network to communicate with ALL devices (on both Internets) which was the L3 of the SG and the 192.168.5.0 (Network for BOTH WAN Internets).

Though this next phase was not mentioned it still should affect what I was meaning.

The rules laid out would be 100% what I needed if the SG were L2 but I need it to be L3 so that both INTERNETS can communicate on LAN side but I need PBR's for the specific devices on that x.x.5.0 LAN to get on the internet on their respective WAN's.

In "my" assumption, the Network from the ASA to the SG can not be the same Network on the SG (x.x.5.0) so I would need to create another Network? for the PBR's to work.

Again, nothing is changing really except how do I tell the ASA to communicate to a x.x.5.0 LAN through a, let's say, 192.168.1.0 LAN (ASA to SG for routing back). This would be easy enough if it was "this range goes to this PBR and this range goes to this PBR" (which is actually HOW I have it now) but how do I include the 5 STATIC NATS through the PBR that the range uses? Or would I create more networks?

 

LONG STORY SHORT;

Can ASA Static WAN IP's communicate and NAT/PAT to LAN IP's that are not on it's default Network.

ASA x.x.x.177 NAT to 192.168.5.177 through 192.168.1.2, if 192.168.1.0 is ON ASA and an Interface on the SG550X which has a PBR,let's say, 192.168.5.177 255.255.255.0 192.168.1.2 (GE 1/1 SG550X) or would it need it's own PBR that the 192.168.5.0 Range (192.168.5.2 - 192.168.5.100) uses.

I understand the part where you say that your question has changed. Other parts of the update to your post are difficult for me to understand. What I think I understand is that you will want the SG switch to operate as a layer 3 switch. It will have a single LAN 192.168.5.0. And that it will have 2 Internet gateways (the ASA and some other Internet connected device -what will that be?). I think I understand that some hosts in the SG Lan will use the ASA as their gateway to access the Internet and some other hosts in that Lan will use the other gateway to access the Internet. If that understanding is not correct then please provide clarification.

If that understanding is correct then yes you will need PBR to accomplish what you want to achieve. 

In this new environment there is a question that you will need to answer, and it would possibly impact the way that you set up the PBR. Some devices will use the ASA as their gateway (and some of those will be using the static NAT). If there is a problem on the ASA would you want these devices to fail over and use the other Internet gateway? And if they do fail over what happens about the static NAT?

You continue to seem to want to associate the static NAT with the SG switch and with PBR. Let me try to explain again (and hopefully more successfully) that the static NAT is done on the ASA. There is nothing on the SG switch or on PBR that has anything to do with static NAT.

HTH

Rick

Hello!

Everything in your response is absolutely spot on until the 3rd paragraph. With that I will say, at this time, no failover is needed. The reason for this is is the ASA goes down, so will all 6 of those IP’s so no failover. As far as this 2nd Internet Connection, it will be a different ISP and it’s LAN devices will also reside on the SG with the other (other isp as well) 192.168.5.0 Subnet. So I am assuming I’d need PBR on SG for those [other] LAN devices on 192.168.5.0 to connect to for Internet.

I keep mentioning NAT/PBR out of ignorance because in my head, how does a 192.168.5.0 know to go to what WAN IP without it? You mention that is all done via NAT /PAT on the ASS, and that I can understand if I understood how.

How does the ASA know what 192.168.5.0 is? My guess would be to have a static route 192.168.5.0 255.255.255.0 [ip on SG interface that is also part of ASA LAN network]. This is where I am getting lost.
x.x.5.0 has nothing to do with the ASA as it is the “common” LAN to all end devices, which are to be separated (I keep saying PBR) to their correct WAN IP’s. being 5.0 is not on ASA, the ASA need La a network of its own; 192.168.1.0? So I would NAT x.x.x.177 to 192.168.5.177 and ASA would translate it even though it doesn’t know of 5.0, but will do so cause of the static route?

Thanks for the additional information. As far as paragraph 3 is concerned that was a question that you needed to answer. Some people say that if they have 2 paths to the Internet and if one paths has a problem then they want all of their traffic to the Internet to use the link that still works (fail over to the still working one). If you do not want failover that is fine (and it makes the configuration a bit more simple). So there will be no failover in your configuration.

So you will have a LAN configured on the switch (192.168.5.0) and some devices in that network will use the ASA as their gateway to the Internet while over devices in that network will use the other Internet gateway. To accomplish that you will need PBR on the switch.

Certainly the ASA will need to know how to reach network 192.168.5.0 and a static route is the easy way to do that. The ASA will also know that the 5 static NAT addresses will translate to 5 addresses within that network. And the ASA will know that any traffic from that network (other than the 5 with static translation) will need to do translation with its outside interface address. There is no reason why the SG switch should know about or care about the fact that there are static NAT translations. All of that is done on the ASA (no involvement for SG switch).

You ask " how does a 192.168.5.0 know to go to what WAN IP without it?" The answer is that devices in the 192.168.5.0 network will depend on routing logic in the SG switch to accomplish that. All of the devices in the 192.168.5.0 network will need to be configured with a default gateway which would be the IP address of the SG switch in that network. Then the SG switch would need routing logic to know which devices should be forwarded to the ASA and which devices should be forwarded to the second ISP. That is where PBR is needed.

HTH

Rick

Interesting. So the ASA can see and communicate with any LAN so long as it has a static route to it therefore the ASA can NAT/PAT to said network via that static route?

 

Let me see if I understood you correctly and see if this will work.

 

 

ASA

  x.x.x.177 NAT 192.168.5.177

  x.x.x.178 NAT 192.168.5.178

  x.x.x.179 NAT 192.168.5 179

  x.x.x.180 NAT 192.168.5.180

  x.x.x.181 NAT 192.168.5.181

  x.x.x.182 PAT 192.168.5.2 - 192.168.5.100

  ASA LAN 192.168.1.0 (192.168.1.1 GE1/2)

  route 192.168.5.0 255.255.255.0 192.168.1.2




SG550X

   GE1/1 192.168.1.2

   192.168.5.2 - 192.168.5.100 PBR 192.168.1.2

   192.168.5.101 - 150 PBR to other ISP.


What you have suggested here should work. And you could simplify it a bit if you want. If the SG switch has a default route (with either the ASA or ISP 2 as the next hop) then you would not necessarily need the PBR for traffic to that next hop. Or if you like to see things configured explicitly then use both PBR.

HTH

Rick

Beautiful!

I truly appreciate your patience and other responders as well. Sometimes I over complicate things and then nothing clicks.

As soon as I get my FPR1010 to replace the ASA I will deploy this with great success and let ya know.

I currently have all this working but man alive it’s so all over the place I knew I had to simplify it.

 

Just a quick side question. You said to simplify the SG I could eliminate the PBR and have a default route to the ASA or other ISP but how would to affect the LAN devices that don’t follow that default route?

Or do you mean to have PBR for one but default route for the other?

For this to work you will need at least one PBR. My comment was that you do not necessarily need two PBR (though two PBR would work and some people might prefer to see explicit routing for both).

HTH

Rick

Hello!

 

So I was fortunate enough to get the FPR1010 and have it, mostly, set up.

As we talked about before, i set it all up as mentioned.

 

I have a feeling, though, that I am doing NAT wrong as no matter what I do, the IP 192.168.5.180 continues to use WAN x.x.x.182 and not the x.x.x.180 I have in NAT.

 

For some reason, I feel the FPR is grabbing the 1st IP of the Block, but not negotiating or allowing the the other 5 IP's to be configured.

Never mind, fixed it.

 

The original default NAT "inside to outside" was overruling my Static NAT.

 

Works now.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco