To all the A/A users. How have you / Or can you setup SNAT so that all traffic is SNAT'ed to 1 ip .
very basic example
Eth1 - connect to 188.8.131.52/24 - interface address is 184.108.40.206/24 & 220.127.116.11/24 (A/A) 18.104.22.168 arp load balanced
eth2 - connecs to 10.10.10.0/24 interface addrss is 10.10.10.2/24 & 10.10.10.3/24 ( A/A) 10.10.10.1 arp load balanced
Policy that say every thing from eth2 leaving eth1 get SNAT to 22.214.171.124. how do I do this on A/A
I really believe that for HA A/A you need to have L2 switches upstream/downstream the FWs.
The arp load sharing config allows for a single IP to be shared by both FWs, hence 2 virtual mac addresses.
So the arp table on the L3 switch is going to have 2 entries for the same IP, but with 2 different mac address?
How is that possible?
Based on the parity of the source IP, the FWs will load share (not balance) the sessions.
Yet, if the router has a static IP that is even, then only 1 FW would technically handle the inbound traffic.
I mean you could program the FW to use a SNAT of 126.96.36.199, but I believe that the response traffic would only go to a single FW.
What other questions can I answer for you.
I get the L2 stuff. this is more around the NAT.
if I have 1 SNAT and say it associated with device 0 ( if I have device 0 and device 1).
if traffic enters device 1 and the rules state to use NAT, it will go to device 0 via the cross connect and then be NAT'ed and then sent out .
if the reverse if a return pack comes in and goes to device 1 it will go to device 0 and be un SNAT and then sent inside
so if device 0 fails - that nat will move to device 1 and just work there.
Is that how it works ?
If you have configured arp load sharing on your FWs, then both device 0 and device 1 would be sending the SNAT through their respective eth1/1 interface. It would not (to the best of my knowledge) use the HA3 to perform asynchronous routing.
If device 0 fails, then device1 will still have the SNAT on it.
What other questions can we answer for you?
Let me expand
So I have added a diagram - might help.
So A/A cluster Device0 & Device1
The relevant link to the doco
so my aim is to have 1 SNAT for all traffic that comes from inside (192.168.0.0/16) to outside (eth1).
The SNAT is 10.0.0.1/32 - I think just having it as a SNAT will make the PA respond to arp requests for it on eth1
on the inside I have 3 vlans 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24. With .1 being the DGW for each lan setup as Arp loading sharing
so if the NAT policy is attached to device 0 my expaction would be for 192.168.1.250 -> 10.10.10.250
192.168.1.250 -> 192.168.1.1 (goes to device 0)
device 0 has the NAT pool
SNAT 10.0.0.1 -> 10.10.10.250
then response would be 10.10.10.250 -> 10.0.0.1
so when one of the routers on the internet site does arp 10.0.0.1 device 0 will respond because it has the SNAT policy
That all works fine
So lets look at 192.168.3.250 -> 10.10.10.250
192.168.1.250 -> 192.168.1.1 (goes to device 1)
?? What happens here. NAP policy is only active on device 0
does the packet get send to device 0 via the HA link or ??
Thanks for the picture and the detail.
There are some assumptions you made, that I want to clear up.
With ARP Load sharing, you really cannot force device 0 to own the virtual IP.
By definition, arp load sharing means BOTH FWs will own the 192.168.1.1 address
If you wanted to do Floating IP, then yes, you could have device 0 own the IP.
You would need to configure Floating IP for your outside interfaces, so that 10.0.0.1 is associated with device 0 (as you want).
How would 192.168.3.x get out? You would need to config a 2nd Floating IP for the device1 FW.
Something like this.... (IPs are not the same) but you would get the gist of it...
The idea (according to the picture) is that BOTH FWs are configured with a weighted configuration, so that each device0 or device1 FW could fail, and the other FW outside interfaces would "float" to the other FW.
Just for clarity - yes I understand how arp loading sharing work and depending on which method you use you can predict which device responsed. From memory an increment of 1 in the 4th oct will change the device. this is similar to how arp ip load sharing work in linux - last time i looked. so yes its active on both and the pack actual gets to both its a matter of whcih device responds.
But basically you are confirming my original thought. with A/A you can't share 1 SNAT addresses. because if a packet traverses the device that doesn't have the active NAT rule - no NAT Rule would apply. That to me seems like a very big deficiency ...
Lines up with the doco though and what I got from support and from the SE - I went through this exercise nearly 2 years ago.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!