topic How are object groups processed in NAT in Network Security

How are object groups processed in NAT

DarrenB_UK — Tue, 12 Mar 2019 07:26:00 GMT

Hello all,

I have seen, and indeed used object groups in a "twice NAT" configuration especially for exempting translation for VPN traffic.

I was wondering how object groups are processed correctly as so far, the results have been as expected. Please see the brief example below:

object-group network vpn-local
network-object 192.168.10.0 255.255.255.0

object-group network vpn-remote
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0

nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote

Why and how does the NAT process work when for example, the remote network is 10.0.30.0/24? How does the ASA know to translate that to itself rather than the first object in the list - 10.0.10.0/24?

We make extensive use of object groups in NAT statements and I have never found the logic behind the process!

Thanks in advance,

Hi DarrenB_UK,

Dinesh Moudgil — Thu, 03 Mar 2016 01:21:19 GMT

Hi DarrenB_UK,

The logic is the traffic is matched with the NAT entities and since nat exemption takes precedence over other NAT statements , ASA confirms if the remote destination is indeed part of object-group defined in destination static argument.and if it is, , it self translates or nat exempts the source in this case.

The statement "nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote"

states that whenever vpn-local tries to access vpn-remote object-group , (irrespective of the subnets/host involved) , self translate vpn-local to itself and do not translate vpn-remote as well.

You might want to take a moment and go through this wonderful document on nat:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Thank you Dinesh - exactly

DarrenB_UK — Thu, 03 Mar 2016 05:41:18 GMT

Thank you Dinesh - exactly what I needed to have confirmed!

"ASA confirms if the destination is part of the object group" is the key criteria"

All the best,

Darren

You got it , Darren

Dinesh Moudgil — Thu, 03 Mar 2016 05:50:00 GMT

You got it , Darren

Cheers!

-Dinesh

One question does arise

DarrenB_UK — Thu, 03 Mar 2016 05:58:38 GMT

One question does arise though Dinesh, what happens if the destination object group is different?

object-group network vpn-local
network-object 192.168.10.0 255.255.255.0

object-group network vpn-remote
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0

object-group network vpn-remote-new
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0

nat (inside,outside) 1 source static vpn-local vpn-local destination static vpn-remote vpn-remote-new

If the ASA cannot confirm the entry is in the list, will it fail or will it match to the entry at the same location?

Darren,You don't have to

Dinesh Moudgil — Thu, 03 Mar 2016 06:08:07 GMT

Darren,

You don't have to worry about the latter part of destination static i.e. vpn-remote-new

As long as the traffic is coming from "vpn-local" to "vpn-remote" (other condition is vpn-local has to be from inside and vpn-remote has to be reachable on the outside, this is nothing but the interfaces that we mentioned in this nat statement) , this nat statement will be used where vpn-local is self-translated/nat-exempted and vpn-remote is translated to vpn-remote-new.

Hope this addresses your query.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh and thank you for

DarrenB_UK — Thu, 03 Mar 2016 06:18:07 GMT

Hi Dinesh and thank you for your continued input!

So looking at these remote object groups:

object-group network vpn-remote
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0

object-group network vpn-remote-new
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0

If the matched destination address is 10.0.30.0, at position 3 in the object group, would the ASA translate this to position 3 in the vpn-remote-new group - 172.16.30.0?

Just want to be clear about the order of processing logic in object groups for ASA NAT!

Thanks again

Darren,

Dinesh Moudgil — Thu, 03 Mar 2016 07:37:49 GMT

Darren,

Actually this is not the optimum way to configure natting.
I will suggest you to create separate nat statements for the destination object-groups so that 10.0.30.0 translates to 172.16.30.0 and similarly for other objects.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh,

DarrenB_UK — Thu, 03 Mar 2016 19:18:59 GMT

Hi Dinesh,

Thanks again for your input.

So you are suggesting that whilst using the same object group for identity NAT is OK, use separate NAT statements with the relevant objects if an actual translation is required?

Best regards,

Darren

I'd suggest that whether you

Dinesh Moudgil — Fri, 04 Mar 2016 01:22:34 GMT

I'd suggest that whether you go for nat exemption or trasnlation. always use separate NAT statements.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

I finally managed to lab this

DarrenB_UK — Sun, 06 Mar 2016 08:46:57 GMT

I finally managed to lab this up!

ciscoasa# show object-group

object-group network vpn-remote
network-object 10.0.100.0 255.255.255.0
network-object 10.0.101.0 255.255.255.0
network-object 10.0.102.0 255.255.255.0
network-object 10.0.103.0 255.255.255.0
object-group network vpn-remote-new
network-object 192.168.100.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
network-object 192.168.102.0 255.255.255.0
network-object 192.168.103.0 255.255.255.0
object-group network vpn-local
network-object 10.0.10.0 255.255.255.0

ciscoasa# show run nat
nat (inside,outside) source static vpn-local vpn-local destination static vpn-remote vpn-remote-new

ciscoasa# packet-tracer input inside tcp 10.0.10.1 12345 10.0.101.1 80 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static vpn-local vpn-local destination static vpn-remote vpn-remote-new
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.101.1/80 to 192.168.101.1/80

ciscoasa# packet-tracer input inside tcp 10.0.10.1 12345 10.0.103.1 80 det

ciscoasa# packet-tracer input inside tcp 10.0.10.1 12345 10.0.101.1 80 det

What this demonstrates is that the static NAT translates the object-group to the corresponding position in the groups! Cool!

Wonderful Darren,

Dinesh Moudgil — Sun, 06 Mar 2016 08:50:32 GMT

Wonderful Darren,

Appreciate your efforts on a quick lab-repro to confirm the behavior.
Way to go !

Regards,
Dinesh Moudgil