Using Source NAT for Dual Homed Servers

By | October 17, 2013

In a situation where you have servers that are dual homed with 2 NICs, you can have problems where traffic coming in on one NIC goes out the other NICs gateway which will break connectivity to the source. To fix this, you can use source NATs so the source address coming in NATs to a set IP on the internal side then passes to the server. This ensures that when the server replies on the NIC with no gateway (this means the gateway must be on the interface not behind the firewall), it will reply to the firewall and the the firewall can properly handle the routing. Here is the NAT command specifying any source coming in matches NATs set to Global value 1 (remember value 0 is always an exemption):

nat (outside) 1 0.0.0.0 0.0.0.0 outside
Next we create the global command saying that when any source comes (specified above) it will NAT to a specific IP. Note, this IP should be on the same subnet of the internal interface bound to the server which DOES NOT have a gateway:

global (inside) 1 10.10.61.8

Now since there may not be dual homing done on every server, we need to add in exemptions for servers that are behind the firewall with the appropriate gateway set on their single NIC. First we create the NAT exemption tied to an ACL:

nat (outside) 0 access-list outside_nat0_outbound outside

These are the regular static NATs. These are for servers that are not dual homed. Nothing different here for those servers:

static (inside,outside) 169.163.143.160 10.10.61.20 netmask 255.255.255.255 dns
static (inside,outside) 169.163.143.170 10.10.61.21 netmask 255.255.255.255 dns
static (inside,outside) 169.163.143.180 10.10.61.22 netmask 255.255.255.255 dns
static (inside,outside) 169.163.143.190 10.10.61.23 netmask 255.255.255.255 dns

Lastly those servers will need their exemptions so they DO NOT use the source NAT since we want them to use the proper gateway on incoming traffic not originating from the same internal subnet:

access-list outside_nat0_outbound extended permit ip any host 10.10.61.20
access-list outside_nat0_outbound extended permit ip any host 10.10.61.21
access-list outside_nat0_outbound extended permit ip any host 10.10.61.22
access-list outside_nat0_outbound extended permit ip any host 10.10.61.23

Again make sure the dual homed servers with two NICs are setup so the NIC behind the firewall has no gateway and the NIC outside of the firewall has its appropriate gateway so traffic bypassing the firewall uses the gateway while traffic coming through the firewall looks like it was initiated by the firewall which is on the same subnet. This ensures the traffic makes it back properly due to the way ARP works.