Re: Bidirectional NAT

Hi Swap,

Thanks for your reply.

We already tried 1st solution but the CPU of the switch goes too high around 80-90%. Don't want to opt for second solution.

Can the nat control be disabled? Will it resolve the problem?

Cheers,
Nick
Sent on my BlackBerry. from Vodafone

-----Original Message-----
From: swap m <ccie19804_at_gmail.com>
Date: Wed, 23 Nov 2011 22:30:36
To: <ccienovice_at_gmail.com>
Cc: Karim Jamali<karim.jamali_at_gmail.com>; <ccielab_at_groupstudy.com>
Subject: Re: Bidirectional NAT

Tht's normal, Dynamic outside NAT will not allow traffic to flow from
inside to outside, even though static (in,out) is required & present
for outside NAT to work (nat-control can be disabled to bypass this
static) .

Two quick solutions (there can be many more..):
1. u can use two IP Addresses on the server - one for each ISP and do
a source based policy routing on your L3 switch (requires EMI image on
switch)
2. since u have routers on perimeter, use router to do NAT for
internet hosts in inbound direction and use static routing for fixed
destination as you have rightly said. (little ugly solution though!)

Swap
#19804 x 2

On Wed, Nov 23, 2011 at 2:41 PM, <ccienovice_at_gmail.com> wrote:
> Hi Karim,
>
> We have 2 ISP's coming on 2 different Routers. Each router is connecting to a firewall respectively. Both the firewalls are connecting to a L3 switch. L3 switch is load balancing the traffic. When the traffic is initiated from outside to internal servers the traffic is dropped due to TCP inspection on firewall. Now as destination is fixed for internal server we can add static route on L3 switch.
>
> Cheers,
> Nick
> Sent on my BlackBerry. from Vodafone
>
> -----Original Message-----
> From: Karim Jamali <karim.jamali_at_gmail.com>
> Date: Wed, 23 Nov 2011 13:20:24
> To: Nick E<ccienovice_at_gmail.com>
> Cc: <ccielab_at_groupstudy.com>
> Subject: Re: Bidirectional NAT
>
> Hi Nick,
>
> The static nat is bidirectional by nature, i.e. it doesn't really care
> where the connection is initiated from. I don't see the value of the other
> nat statements. You would only need an access-list to permit traffic from
> the outside zone to the server.
>
> Thanks
>
> On Tue, Nov 22, 2011 at 7:19 PM, Nick E <ccienovice_at_gmail.com> wrote:
>
>> Hi,
>>
>> I have configured bidirectional NAT on ASA. The configuration is as
>> follows:-
>>
>> ======================
>> nat (outside) 4 access-list OUT-TO-SVR outside
>> !
>> global (inside) 4 172.30.30.1
>> !
>> access-list OUT-TO-SVR extended permit ip any host 192.168.10.1
>> !
>> static (inside,outside) 192.168.10.1 172.30.10.1 netmask 255.255.255.255
>> ========================
>>
>> I am facing problem where the local ip is not getting translated to global
>> but from internet the server is reachable. To be precise, server can't
>> access internet but from internet the server is reachable.
>>
>> Please find the logs as follows:-
>>
>> %ASA-3-305005: No translation group found for icmp src INSIDE:172.30.10.1
>> dst OUTSIDE:203.199.44.37 (type 8, code 0)
>>
>> Thanks in advance
>>
>> Regards,
>> Nikhil
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 23 2011 - 18:50:43 ART