Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 19041 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading and SNAT is not working with Additional addresses

AbdullahAmer

Hi,

We have SG310 with latest updates installed. we have 5 public IP's from our ISP"X" and another 5 from ISP"Y", what i want to have is:

  • Our production network (eth0) will get out through (eth1) ISP"X" with a public IP(1)
  • Our Mail Exchange server (eth0) will get out through (eth1) ISP"X" with a public IP(2)
  • Our FTP server (eth0) will get out through (eth1) ISP"X" with a public IP(3)
  • Our Guest network (eth4) will get out through (eth5) ISP"X" with a public IP(2) 
  • Site to Site VPN will be using eth6 and eth7 ISP"Y" IP(1)

The setup is :

  • eth0,eth4, eth6: Internal Network with different subnets
  • eth1,eth5, eth7 External Public IP with gateways
  • used the uplink balancing for the three external interfaces and multipath rules to link each internal interface with its external as explained above
  • Exchange server public IP and FTP public IP used them through creating additional addresses linked with the eth1 and used Masquerading to use the additional address

Until now everything is working as it should except the Exchange and FTP (additional addresses) 

When i am testing using "what is my ip" at the exchange i got the main external IP and not the additional address that i used in Masquerading

Farther tests:

  • The Guest network (eth4,eth5) can not get out unless i create Masquerading rule
  • Masquerading with additional addresses working fine DNAT/SNAT also with guest network
  • The production network (eth0,eth1) can access the internet without Masquerading 
  • The VPN site network (eth6,eth7) can access the internet without Masquerading 
  • Both production network (eth0,eth1) and VPN site network (eth6,eth7) does not work with Masquerading with additional addresses

My feeling that there is something internal overriding my setting of the Masquerading with additional addresses related (eth0,1,4,5). or i am not sure if its relating to the interface or internal subnets i am using.

The SG310 will be replacing the old ASA one that we have now. both firewalls are connecting to the ISP's routers at the same time, could be the reason that i am using the same subnet in the both firewalls wile connecting to the same ISP router ? FYI i am testing on an unused public IPs and with a laptop connecting directly to the SG310

Kind regards,

Abdullah



This thread was automatically locked due to age.
Parents
  • Hello everyone,

    Many thanks for your quick replies and sorry for my late one. not used to the community yet and did not recieved an email that there were a comments on my question.

    Anyhow, the problem was as i expected that production network though the ASA and my demo device connecting to the same ISP router. once i migrated the ASA to the SG310 and after sometime everything works well.

    @Matthias you are right, the Masquerading is needed for all the eth's to get out when i migrated. i would explain it was working before due to the same reason above.

    Many thanks again guys
    Abdullah
Reply
  • Hello everyone,

    Many thanks for your quick replies and sorry for my late one. not used to the community yet and did not recieved an email that there were a comments on my question.

    Anyhow, the problem was as i expected that production network though the ASA and my demo device connecting to the same ISP router. once i migrated the ASA to the SG310 and after sometime everything works well.

    @Matthias you are right, the Masquerading is needed for all the eth's to get out when i migrated. i would explain it was working before due to the same reason above.

    Many thanks again guys
    Abdullah
Children
No Data