Cisco ASA Series Cli Configuration Manual page 285

Chapter 1 Configuring a Cluster of ASAs
Multicast Routing in Individual Interface Mode
In Individual interface mode, units do not act independently with multicast. All data and routing packets
are processed and forwarded by the master unit, thus avoiding packet replication.
NAT
NAT can impact the overall throughput of the cluster. Inbound and outbound NAT packets can be sent to
different ASAs in the cluster because the load balancing algorithm relies on IP addresses and ports, and
NAT causes inbound and outbound packets to have different IP addresses and/or ports. When a packet
arrives at an ASA that is not the connection owner, it is forwarded over the cluster control link to the
owner, causing large amounts of traffic on the cluster control link.
If you still want to use NAT in clustering, then consider the following guidelines:
•
•
•
•
•
•
•
No Proxy ARP—For Individual interfaces, a proxy ARP reply is never sent for mapped addresses.
This prevents the adjacent router from maintaining a peer relationship with an ASA that may no
longer be in the cluster. The upstream router needs a static route or PBR with Object Tracking for
the mapped addresses that points to the Main cluster IP address. This is not an issue for a Spanned
EtherChannel, because there is only one IP address associated with the cluster interface.
No interface PAT on an Individual interface—Interface PAT is not supported for Individual
interfaces.
NAT pool address distribution—The master unit evenly pre-distributes addresses across the cluster.
If a member receives a connection and they have no addresses left, the connection is dropped, even
if other members still have addresses available. Make sure to include at least as many NAT addresses
as there are units in the cluster to ensure that each unit receives an address. Use the show nat pool
cluster command to see the address allocations.
No round-robin—Round-robin for a PAT pool is not supported with clustering.
Dynamic NAT xlates managed by the master unit—The master unit maintains and replicates the
xlate table to slave units. When a slave unit receives a connection that requires dynamic NAT, and
the xlate is not in the table, it requests the xlate from the master unit. The slave unit owns the
connection.
Per-session PAT feature—Although not exclusive to clustering, the per-session PAT feature
improves the scalability of PAT and, for clustering, allows each slave unit to own PAT connections;
by contrast, multi-session PAT connections have to be forwarded to and owned by the master unit.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that requires
multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT. For more
information about per-session PAT, see the
page 1-9 in the firewall configuration guide.
No static PAT for the following inspections—
–
FTP
–
PPTP
–
RSH
–
SQLNET
–
TFTP
–
XDMCP
–
All Voice-over-IP applications
Information About ASA Clustering
"Per-Session PAT vs. Multi-Session PAT" section on
Cisco ASA Series CLI Configuration Guide
1-21