topic Why NAT different destination static but same source static? in Network Security

Why NAT different destination static but same source static?

getaway51 — Fri, 21 Feb 2020 16:16:45 GMT

NAT cmds below will nat source & dest to which network-X or net-Y or net-Z? What is the reason so many identical "nat (inside,any) source static net-10.1.1.0 net-10.1.1.0" But with different "net-X net-X"?

nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.1.10 net-172.1.10 no-proxy-arp route-lookup
nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.27.0.0 net-172.27.0.0 no-proxy-arp route-lookup
nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.25.0.0 net-172.25.0.0 no-proxy-arp route-lookup

Re: Why NAT different destination static but same source static?

Francesco Molino — Tue, 25 Sep 2018 04:38:38 GMT

Hi

They look similar and these are Nat exemption. This means, traffic initiated from the source 10.1.1.0 from inside will never be natted where ever interface the traffic goes through as soon it goes to the 3 destinations configured.

Let's take an example. Let's say the subnet 172.1.10.0 is your vpn users behind the outside interface. When someone from inside reaches outside, he'll be natted (e.g. internet access) but when an inside guy talk to vpn user, hosted on the outside, you don't want them to be natted.

Re: Why NAT different destination static but same source static?

Ajay Saini — Tue, 25 Sep 2018 05:56:56 GMT

Hello,

These NAT statements are bidirectional, which means that any traffic trying to reach out to a specific destination will check that NAT statement. For example, the first NAT will hit when the destination is net-172.1.10 subnet. And ofcourse NAT will happen as per the Double NAT:

Check this document:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_rules.html

Please note that this is a twice NAT, means that this will work for reverse traffic as well. The document will make things clear.

HTH

Re: Why NAT different destination static but same source static?

getaway51 — Tue, 25 Sep 2018 07:31:00 GMT

Thanks for yr explanation. Technically how to intepret this?
nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.1.10 net-172.1.10 no-proxy-arp route-lookup
1)Is this what happen?
before NAT
Source -10.1.1.0 (inside interface) , Dest-10.1.10 (any interface)
after NAT
Source -net-172.1.10 (inside interface) , Dest-net-172.1.10 (any interface)
2)NAT Exemption means NO NAT will happen if traffic matches these rules? which part of cmd represents NAT Exemption?

3)After all these nat (inside,any) source static ,there is a dynamic NAT cmd afterwards. Seems like all traffic NAT dynamically via outside interface.
object network any-object
nat (inside,outside) dynamic interface

Re: Why NAT different destination static but same source static?

getaway51 — Tue, 25 Sep 2018 07:35:55 GMT

Really confusing wht they trying to achieve here.
1)Double NAT here means source 10.1.1.0 & dest 10.1.1.0 will be NAT to 172.1.10.0 & 172.1.10.0?

2)After all these NAT cmds, there is a below below. to NAT all traffic from inside-outside dynamically.
object network any-object
nat (inside,outside) dynamic interface

Re: Why NAT different destination static but same source static?

Francesco Molino — Tue, 25 Sep 2018 23:00:32 GMT

1. You need to interpret that way:

Source traffic from 10.1.1.0/24 on inside zone (i assume all your subnets are /24) to destination 172.1.10.0/24 (no matter which zone) will result after Nat with source 10.1.1.0/24 to destination 172.1.10.0/24

As you can understand, the traffic won't be natted.

2. nat (inside,any) source static net-10.1.1.0 net-10.1.1.0 destination static net-172.1.10 net-172.1.10 no-proxy-arp route-lookup

We can say this is a no nat rule because the real subnet and translated subnet are equal for source and destination.

The first net-10.1.1.0 is real source and the second net-10.1.1.0 is the translated source. Same applies for the destination group.

3. After these 3 nat rules, you have a dynamic natting traffic over outside interface. This means, if traffic won't hit the first 3 rules then it's being transferred with outside interface ip to be able to access Internet.

Also, it's not recommended to keep Nat with any statement.

Re: Why NAT different destination static but same source static?

getaway51 — Wed, 26 Sep 2018 02:32:54 GMT

May I know what is meant by "no-proxy-arp route-lookup" in this case? When to use this cmd? for vpn traffic?

Re: Why NAT different destination static but same source static?

Francesco Molino — Wed, 26 Sep 2018 21:02:46 GMT

route-lookup is to ask ASA to take a look on the routing table to determine the egress interface instead of using the interface mentioned in the nat statement.
no-proxy-arp: disable proxy arp and then disable that ASA answers to ARP requests.