Re: Bidirectional NAT

No disabling nat-control is just to eliminate the extra static
(inside,outside). Outbound traffic from inside to outside for the
Xlated server will still not be allowed. That's a standard security
feature.

For PBR on switch, what switch is it? Did you follow the Cisco
recommended guidelines to configure PBR like not using deny ACE..? Try
PBR fast switching.

From my experience I can say tht PBR does work on switch.

Swap
#19804 x 2

On Wed, Nov 23, 2011 at 10:50 PM, <ccienovice_at_gmail.com> wrote:
> Hi Swap,
>
> Thanks for your reply.
>
> We already tried 1st solution but the CPU of the switch goes too high around 80-90%. Don't want to opt for second solution.
>
> Can the nat control be disabled? Will it resolve the problem?
>
> Cheers,
> Nick
> Sent on my BlackBerry. from Vodafone
>
> -----Original Message-----
> From: swap m <ccie19804_at_gmail.com>
> Date: Wed, 23 Nov 2011 22:30:36
> To: <ccienovice_at_gmail.com>
> Cc: Karim Jamali<karim.jamali_at_gmail.com>; <ccielab_at_groupstudy.com>
> Subject: Re: Bidirectional NAT
>
> Tht's normal, Dynamic outside NAT will not allow traffic to flow from
> inside to outside, even though static (in,out) is required & present
> for outside NAT to work (nat-control can be disabled to bypass this
> static) .
>
>
> Two quick solutions (there can be many more..):
> 1. u can use two IP Addresses on the server - one for each ISP and do
> a source based policy routing on your L3 switch (requires EMI image on
> switch)
> 2. since u have routers on perimeter, use router to do NAT for
> internet hosts in inbound direction and use static routing for fixed
> destination as you have rightly said. (little ugly solution though!)
>
> Swap
> #19804 x 2
>
> On Wed, Nov 23, 2011 at 2:41 PM, <ccienovice_at_gmail.com> wrote:
>> Hi Karim,
>>
>> We have 2 ISP's coming on 2 different Routers. Each router is connecting to a firewall respectively. Both the firewalls are connecting to a L3 switch. L3 switch is load balancing the traffic. When the traffic is initiated from outside to internal servers the traffic is dropped due to TCP inspection on firewall. Now as destination is fixed for internal server we can add static route on L3 switch.
>>
>> Cheers,
>> Nick
>> Sent on my BlackBerry. from Vodafone
>>
>> -----Original Message-----
>> From: Karim Jamali <karim.jamali_at_gmail.com>
>> Date: Wed, 23 Nov 2011 13:20:24
>> To: Nick E<ccienovice_at_gmail.com>
>> Cc: <ccielab_at_groupstudy.com>
>> Subject: Re: Bidirectional NAT
>>
>> Hi Nick,
>>
>> The static nat is bidirectional by nature, i.e. it doesn't really care
>> where the connection is initiated from. I don't see the value of the other
>> nat statements. You would only need an access-list to permit traffic from
>> the outside zone to the server.
>>
>> Thanks
>>
>> On Tue, Nov 22, 2011 at 7:19 PM, Nick E <ccienovice_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have configured bidirectional NAT on ASA. The configuration is as
>>> follows:-
>>>
>>> ======================
>>> nat (outside) 4 access-list OUT-TO-SVR outside
>>> !
>>> global (inside) 4 172.30.30.1
>>> !
>>> access-list OUT-TO-SVR extended permit ip any host 192.168.10.1
>>> !
>>> static (inside,outside) 192.168.10.1 172.30.10.1 netmask 255.255.255.255
>>> ========================
>>>
>>> I am facing problem where the local ip is not getting translated to global
>>> but from internet the server is reachable. To be precise, server can't
>>> access internet but from internet the server is reachable.
>>>
>>> Please find the logs as follows:-
>>>
>>> %ASA-3-305005: No translation group found for icmp src INSIDE:172.30.10.1
>>> dst OUTSIDE:203.199.44.37 (type 8, code 0)
>>>
>>> Thanks in advance
>>>
>>> Regards,
>>> Nikhil
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> KJ
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 24 2011 - 11:24:01 ART