topic Re: U-Turn NAT question in General Topics

U-Turn NAT question

AllanGao — Fri, 27 Aug 2021 20:21:16 GMT

When setup U-turn NAT, can see SNAT part using an internal interface for DIPP. But in the scenario A/P FW has two downstream switches, ie. two internal interfaces, if need to setup 2 U-turn NAT policies . So that when the primary link down, can use the 2nd NAT(which using 2nd internal interface ip address as DIPP)? Please help.

Re: U-Turn NAT question

S.Cantwell — Fri, 27 Aug 2021 22:22:44 GMT

Hi there

I think it is important to remember that in HA... that 99% of your configuration is synch'd between the FWs (what does not get synch'd is mgmt IP, hostname, and HA configuration). So your inside interface on FW1 is also on FW2. It is not clear if you mean that both FWs will each have 2 interfaces, or if you are referring each FW having a single interface (but technically, there are 2 internal interfaces).

My point is that whatever you configure on FW1 will show up on FW2. You cannot have 2 different IPs across the internal interface. If you worried about redundancy, you set up 2 interfaces on each FW into an AE (aggregated ethernet interface), so if 1 cable gets unplugged, the FW does not lose/failover.

Re: U-Turn NAT question

AllanGao — Fri, 27 Aug 2021 22:50:06 GMT

Hi Steve, thanks a lot for the reply. And sorry for the confusion, the thing is two internal interfaces on each FWs.

And looks U-NAT require SNAT part to use internal interface ip address as a DIPP translated to. So my question is based on this, if need to have 2 U-NAT policy so that can have 2 diff. internal interface ip there for the SNAT part. And this is kind of redundancy when 1 internal interface went down.

Re: U-Turn NAT question

S.Cantwell — Sat, 28 Aug 2021 20:29:38 GMT

Hi Allan

I think I understand your question. The NAT policies on the FW allow for a matching condition of Destination Interface, so if you have 2 internal interfaces on the FW, then you could have 2 different UTurn NAT rules, defining the destination interface, so if one went down, the other would then be active.

However, as I suggested, I am not sure I agree that you need to have 2 internal interfaces defined. Instead, define 2 internal interfaces as an aggregated interface, with a single IP. So if one interface when down, you will have the 2nd interface active, and really only need a single UTurn NAT rule. Try not to make your configuration more complicated. AE interfaces will work for what you need vs 2 separate UTurn NAT rules. Hope that makes sense.

Re: U-Turn NAT question

AllanGao — Tue, 31 Aug 2021 03:41:21 GMT

Thanks again, Steve!