ASA NAT - 1 to 1 static to an address in a dynamic pool?

Started by heath, July 29, 2015, 02:58:05 PM

Previous topic - Next topic

heath

My ASA is configured to do dynamic 1-to-1 NAT using a pool of public addresses.  I also have a pool of public addresses designated for static NAT use. 

I have a need to change one of the inside clients from a dynamic NAT to a static 1-to-1 NAT.

Could I configure that static NAT using one of the address in the dynamic NAT pool?  Would that cause a conflict?  Would I need to adjust the pool to remove that address first?  Or will the ASA know not to use that address in another translation even though it's in the pool - sort of like a DHCP reservation?

deanwebb

If you are doing 1:1 NAT and you have a free public address for the internal device, you're good.

If you do not have available public addresses, then you can check to see if it uses different ports. For example, you could have address1:80 point to the IP of the internal web server and address1:53 point to the different IP of the internal DNS server.

That's for static... and I reread the OP and saw "dynamic". The answer there is that it will use an available address. If no address is available, there is an option to turn on overload on the last address so that it will handle devices that show up too late to get one of the available addresses.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

heath

I have two pools of addresses.  One large pool for dynamic NAT.  And I'm good there.  No shortage of addresses yet.  I do have overload enabled on the last address for dynamic PAT, however.

Then I have another smaller pool for static NAT.  Typically used for web servers and such. 

One of the internal clients (using the dynamic NAT pool) has requested a static translation.  Despite this being 2015, the security on a particular external service they need to use is to white list IP addresses.  Hence the request for a static NAT.

Since my pool of addresses reserved for static NAT is getting low, I was wondering about using one of the addresses in the dynamic NAT pool. 

Do I need to remove that address from the pool for that to work?  Or will the ASA treat it similar to how a DHCP server treats a reservation - as an address technically inside the pool of available addresses, but only used for one particular client?

Reggle

On 8.3, if you leave it in the dynamic pool, it will be used for dynamic source NAT like before and on top of that, some protocols expecting inbound traffic (FTP) will fail because anything that does not have an outgoing state will be forwarded to the static NAT server. I learned that in the field on a production ASA.
Don't do it. Remove the IP from the dynamic pool.

Two things you need to know about the ASA state table engine regarding this:
1) The state table is actually checked twice for packets passing the engine: first the state NATs will be checked, and if no match is found the dynamic NATs are checked. That causes the inbound connection weirdness. So a static NAT will take precedence over a dynamic NAT regardless of the following order in the rule table. I had this confirmed by TAC.
2) The NAT state table on an ASA can reuse external source ports for different destinations, effectively limiting the dynamic source NAT to (probably) 64,511 states per destination IP address. A single IP address for a dynamic NAT will go a long way with this, even with thousand of inside hosts.

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.