One to many NAT with some exceptions for bidirectional traffic (ASA)?

tickermcse76 · ‎05-12-2017

Site A has a very large IP block (otherwise we would have used 1:1 NAT)
Site B has 20 hosts
Site A primarily initiates traffic to Site B; any host at site A is allowed to connect
Site A has 2 network links in to Site B

It will route traffic through Link_1 to a Site B host on IP_1
It also has another route through Link_2 to the same exact Site B host but on a NAT'ed IP_2

Site A source IP is always the same - they cannot NAT
Site B initiates traffic to a handful of hosts at Site A which can live anywhere in Site A's IP block
Site A and Site B must be able to communicate across both links without any further intervention (ie no changing of routes to flip from Link_1 to Link_2) - both paths are active at all times

For whatever reasons (political, technical, etc) the above statements are fixed. The initial thought was to use a one to many NAT at site B - as a standalone solution this does not work because traffic initiated from Site B won't be returned properly. Is it possible to create static NAT's for the Site A resources that Site B needs to reach, and then setup multiple one to many NAT's to cover the remaining IP's? Or even better is it possible to setup a single one to many NAT with exclusions? The config on Site B will have to be on ASA only.

Peter Koltl · ‎06-14-2017

You need two ASAs on site B, one for each WAN link. Then the static NATs to Bhost1 should translate the siteA source addresses as well with twice NAT to two different mapped addresses that help the return traffic choose the proper ASA.