Active / Active NAT question

Showing results for 
Search instead for 
Did you mean: 

Active / Active NAT question

L4 Transporter



To all the A/A users. How have you / Or can you setup SNAT so that all traffic is SNAT'ed to 1 ip .


very basic example


Eth1 - connect to - interface address is & (A/A) arp load balanced

eth2 - connecs to interface addrss is  & ( A/A) arp load balanced


Policy that say every thing from eth2 leaving eth1 get SNAT to how do I do this on A/A





Cyber Elite
Cyber Elite



I really believe that for HA A/A you need to have L2 switches upstream/downstream the FWs.

The arp load sharing config allows for a single IP to be shared by both FWs, hence 2 virtual mac addresses.

So the arp table on the L3 switch is going to have 2 entries for the same IP, but with 2 different mac address?

How is that possible?




Based on the parity of the source IP, the FWs will load share (not balance) the sessions.

Yet, if the router has a static IP that is even, then only 1 FW would technically handle the inbound traffic.


I mean you could program the FW to use a SNAT of, but I believe that the response traffic would only go to a single FW.


What other questions can I answer for you.




Help the community: Like helpful comments and mark solutions



I get the L2 stuff. this is more around the NAT.


if I have 1 SNAT and say it associated with device 0 ( if I have device 0 and device 1).


if traffic enters device 1 and the rules state to use NAT, it will go to device 0 via the cross connect and then be NAT'ed and then sent out .


if the reverse if a return pack comes in and goes to device 1 it will go to device 0 and be un SNAT and then sent inside


so if device 0 fails - that nat will move to device 1 and just work there.


Is that how it works ?



If you have configured arp load sharing on your FWs, then both device 0 and device 1 would be sending the SNAT through their respective eth1/1 interface.   It would not (to the best of my knowledge) use the HA3 to perform asynchronous routing.


If device 0 fails, then device1 will still have the SNAT on it. 


What other questions can we answer for you?


Help the community: Like helpful comments and mark solutions

Let me expand




So I have added a diagram - might help.
So A/A cluster Device0 & Device1
The relevant link to the doco

so my aim is to have 1 SNAT for all traffic that comes from inside ( to outside (eth1).
The SNAT is - I think just having it as a SNAT will make the PA respond to arp requests for it on eth1

on the inside I have 3 vlans,, With .1 being the DGW for each lan setup as Arp loading sharing

so if the NAT policy is attached to device 0 my expaction would be for -> -> (goes to device 0)
device 0 has the NAT pool
then response would be ->
so when one of the routers on the internet site does arp device 0 will respond because it has the SNAT policy

That all works fine

So lets look at -> -> (goes to device 1)
?? What happens here. NAP policy is only active on device 0
does the packet get send to device 0 via the HA link or ??





Hello again.


Thanks for the picture and the detail.


There are some assumptions you made, that I want to clear up.

With ARP Load sharing, you really cannot force device 0 to own the virtual IP.



By definition,  arp load sharing means BOTH FWs will own the address




If you wanted to do Floating IP, then yes, you could have device 0 own the IP.




You would need to configure Floating IP for your outside interfaces, so that is associated with device 0 (as you want).

How would 192.168.3.x get out?  You would need to config a 2nd Floating IP for the device1 FW.


Something like this.... (IPs are not the same) but you would get the gist of it... 




The idea (according to the picture) is that BOTH FWs are configured with a weighted configuration, so that each device0 or device1 FW could fail, and the other FW outside interfaces would "float" to the other FW.



Help the community: Like helpful comments and mark solutions



Just for clarity - yes I understand how arp loading sharing work and depending on which method you use you can predict which device responsed.  From memory an increment of 1 in the 4th oct will change the device. this is similar to how arp ip load sharing work in linux - last time i looked. so yes its active on both and the pack actual gets to both its a matter of whcih device responds.


But basically you are confirming my original thought. with A/A you can't share 1 SNAT addresses. because if  a packet traverses the device that doesn't have the active NAT rule - no NAT Rule would apply.   That to me seems like a very big deficiency ...


Lines up with the doco though and what I got from support and from the SE - I went through this exercise nearly 2 years ago.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!