topic Re: NAT help in Network Security

NAT help

brandon.hodge — Mon, 11 Mar 2019 09:40:58 GMT

I'm having an issue working with a PIX 7.0 that has lots of history. There is a ton of entries like below:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I'm trying to make one ip address on that subnet come out as the firewall external IP. I have the global (outside) 1 interface set up with the nat (inside) 1 192.168.1.5. This doesn't work unless I pull out the static entry for the entire subnet.

The main problem I'm having is for some reasos when I pull out the static that has the subnet. Without the static entry the subnet comes out with an address other than itself. What does the PIX do for an address that doesn't have a static or global entry set up?

Re: NAT help

acomiskey — Fri, 02 Mar 2007 17:28:49 GMT

Your problem is with nat order of operations. The static for the 192 subnet takes precedence over your regular nat for 192.168.1.5.

1. nat exemption

2. static nat

3. static pat

4. policy nat

5. regular nat

Re: NAT help

brandon.hodge — Fri, 02 Mar 2007 17:30:54 GMT

So why is it when I pull the static for the entire subnet they come out nat'd to something else?

Re: NAT help

acomiskey — Fri, 02 Mar 2007 17:38:29 GMT

What is the address?

It is NATing somewhere, if it's not in the static, it could be 3-5 mentioned above. Find the address in your config and you will know where.

Re: NAT help

brandon.hodge — Fri, 02 Mar 2007 17:40:54 GMT

I guess a better question would be: why would you put in a static entry for an address to NAT the address it already has? Shouldn't it already do this without that entry?

Re: NAT help

acomiskey — Fri, 02 Mar 2007 17:46:06 GMT

not sure I follow anymore

Re: NAT help

brandon.hodge — Fri, 02 Mar 2007 17:48:57 GMT

sorry...

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

What is the purpose of an entry like that? Shouldn't anything on the 192.168.1.0 come out with it's real address even without that entry?

Re: NAT help

acomiskey — Fri, 02 Mar 2007 17:54:41 GMT

not if you have nat-control enabled

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall.

Re: NAT help

brandon.hodge — Fri, 02 Mar 2007 17:56:21 GMT

none in the running config

Re: NAT help

acomiskey — Fri, 02 Mar 2007 18:06:29 GMT

It would also need to be there if you had something like

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0

and you did not want 192.168.1.0 to be PAT'ed to x.x.x.x

Hope that makes sense, I don't know enough about your environment to know whether it is needed or not.

Re: NAT help

brandon.hodge — Fri, 02 Mar 2007 18:16:23 GMT

That's actually what the problem was I just found it 10 minutes ago. You've been a great help acomiskey thanks a ton 🙂

Re: NAT help

acomiskey — Fri, 02 Mar 2007 18:19:12 GMT

no prob, please rate if it helped.

Re: NAT help

Florin Barhala — Wed, 20 Mar 2013 14:52:22 GMT

Hi guys,

I reopen this thread as it's close to my scenario.

I got a 7.2 IOS version ASA that has nat-control enabled and I have this config:

static (intranet,outside) 192.168.0.5 192.168.0.5 netmask 255.255.255.255

Here is the rest of the config, that might be important:

interface Ethernet0/2

nameif intranet

security-level 100

ip address 192.168.0.1 255.255.254.0

nat (intranet) 0 access-list no_nat_intranet

nat (intranet) 1 access-list nat_users

global (dmz) 1 80.B.C.D

access-list nat_users line 1 extended permit ip 192.168.0.0 255.255.255.128 any

And here I got the pin:

access-list no_nat_intranet line 1 extended permit ip 192.168.0.0 255.255.254.0 192.168.10.0 255.255.255.0

access-list no_nat_intranet line 2 extended permit ip host 192.168.0.183 any

access-list no_nat_intranet line 3 extended permit ip host 192.168.0.5 any

What does this statement "states"? Can anyone kindly detail it?

And why is it necessary to exempt it again in NAT_Exempt statement?

NAT help

Jouni Forss — Wed, 20 Mar 2013 15:06:01 GMT

Hi,

Well it seems you have 2 configurations for the host 192.168.0.5

The "static" configuration line is a Identity NAT that basically states that the address isnt translated when its accessing networks behind "outside" interface which doesnt make much sense since its private IP address. (Unless you have some other device doing NAT infront of the firewall)

The "nat (intranet) 0" and one of its ACLs line basically states that when the host 192.168.0.5 tries to connect to "any" host on any interface, it shouldnt be NATed.

The "static" line only applies between "intranet" and "outside" WHILE the "nat (intranet) 0" applies between "intranet" and "any"

So I would have to guess that the NAT0 rules reason for being there is to prevent NAT from being done to this host 192.168.0.5 no matter where it connects through this firewall.

- Jouni

NAT help

Florin Barhala — Wed, 20 Mar 2013 15:35:06 GMT

Thanks mate!

Basically this means, I can remove the static NAT statement, as it is covered by the nat 0 ACL.

Next, if I disable nat-control on the running config, firewall being used in production do you think it can cause any traffic disruption?

From what I read, it wouldn't make sense. Trouble might arise when enabling it (nat-control) if config lacks of some inside-to-outside nat statements. Am I right on this judgement?

NAT help

Jouni Forss — Wed, 20 Mar 2013 16:59:31 GMT

Hi,

Would seem correct to me.

Though personally I have never really had the need to change the "nat-control" setting. Though usually when I am doing some change that I have uncertainty I lab it or do the change during hours where any possible problem wouldnt cause much issues for users.

Here is a link to a Cisco document about "nat-control" setting

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1082396

- Jouni