topic ASA NO NAT Configuration - 9.6(4)23 in Network Security

ASA NO NAT Configuration - 9.6(4)23

mbrandon32 — Wed, 20 Apr 2022 00:48:36 GMT

We are in the process of implementing a NO NAT configuration on one of our firewalls and are running into an issue.

We have created an object-group for source IPs that will have the NO NAT configuration applied.

object-group network NO_NAT

network-object host 1.1.1.1

We then created a network object that contains the destination - which would be internet based:

object network NO_NAT_DEST

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) source static NO_NAT NO_NAT destination static NO_NAT_DEST NO_NAT_DEST no-proxy-arp

All internet based traffic is routing as expected - no NAT applied. But when traffic destined for a private address routes through the firewall (DMZ destined), the traffic is routed the same as the internet based traffic. This looks to be because the subnet in the NO_NAT_DEST object matches the 0.0.0.0 0.0.0.0 default route.

My thinking is that we implement two separate NAT statements - one that contains an object-group that contains private networks as the destination and one that contains the 0.0.0.0 destination. Configure the NAT for the private destinations first - then configure the NAT for the 0.0.0.0 destination. That way the private destination NAT is processed first and routed accordingly but anything not destined for a private network will be processed by the 0.0.0.0 destination NAT.

Will this work as expected?

What would be the best way to implement this NO NAT configuration?

Re: ASA NOT NAT Configuration - 9.6(4)23

Rob Ingram — Tue, 19 Apr 2022 17:06:23 GMT

@mbrandon32 yes create the more specific no NAT rule first and/or do a route-lookup on the NAT rule.

Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface for more information.

Re: ASA NOT NAT Configuration - 9.6(4)23

MHM Cisco World — Tue, 19 Apr 2022 19:03:18 GMT

config another NO NAT and make it above this NAT by add "1" , and the issue is solve OR config after-auto in NAT which push this NO NAT "0.0.0.0" down to list of NAT.

Re: ASA NOT NAT Configuration - 9.6(4)23

mbrandon32 — Tue, 19 Apr 2022 18:54:12 GMT

@Rob Ingram I missed the route-lookup configuration. Looking into route-lookup in more detail, we should just be able to configure the following:

nat (inside,outside) source static NO_NAT NO_NAT route-lookup

Correct?

Re: ASA NOT NAT Configuration - 9.6(4)23

mbrandon32 — Wed, 20 Apr 2022 01:38:45 GMT

nat (inside,outside) source static NO_NAT NO_NAT route-lookup did the trick. Thanks!