topic Have you tested it without in Network Security

Help with new code NAT statement that has no destination but translate hits

Dean Romanelli — Tue, 12 Mar 2019 05:59:03 GMT

Hi All,

I recently acquired a new site. The firewall is running new code NAT, and the following statement is configured:

object network LAN
subnet 192.168.175.0 255.255.255.0

nat (inside,outside) source static LAN LAN no-proxy-arp route-lookup

Can anyone tell me exactly what this is doing? The thing that is throwing me off is that this line doesn't have a destination like I'm used to seeing, but I seeing translate hits on the line.

FW-ITL-5505# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LAN LAN no-proxy-arp route-lookup
translate_hits = 3481993, untranslate_hits = 160197

For example, I understand the below says "Don't NAT any traffic from the LAN to REMOTE."

nat (inside,outside) source static LAN LAN destination static REMOTE REMOTE no-proxy-arp route-lookup

If there is no destination in

Karsten Iwen — Fri, 22 May 2015 16:46:10 GMT

If there is no destination in the NAT-statement, then the destination is "any". This line means: Translate any source LAN to new source LAN (effectively do not NAT) regardless of the destination if the traffic enters inside and exits outside. That's probably not what you want. Does it work as you want? Then there are probably other lines that have a higher priority.

Thanks Karsten. Here;s the

Dean Romanelli — Sat, 23 May 2015 12:40:22 GMT

Thanks Karsten. Here;s the full NAT table:

nat (inside,outside) source static LAN LAN no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Rome Rome no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Milan Milan no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Perugia Perugia no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static Paris Paris no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static DC-INET DC-INET no-proxy-arp route-lookup

So each of these lines are for a site-to-site VPN tunnel. But if I am understanding you correctly, the last 5 lines aren't doing anything because the first line is already saying "Do not NAT the LAN to any destination, so the last five lines are never evaluated because the first line matches each time right?

As for the functionality, it's actually ok as we centralize our internet pipe company wide in our data center, so I don't want to NAT anything locally (since the VPN tunnel ultimately delivers INET via the DC). I just figure I'll pull out those 5 lines if they are ultimately doing nothing.

These NAT-exemption-rules are

Karsten Iwen — Sat, 23 May 2015 14:07:48 GMT

These NAT-exemption-rules are only needed if there is done NAT on the ASA, typically for internet-traffic. If you don't want to nat anything on the ASA you can completely remove all NAT-entries and the ASA will route anything through.

Hi Karsten,Yeah unfortunately

Dean Romanelli — Sat, 23 May 2015 22:10:28 GMT

Hi Karsten,

Yeah unfortunately I have to NAT out one FTP service locally on this FW:

object network API-FTP
nat (inside,outside) static API-FTP-public

So considering that config, I thought I would need to set the nonat statements shown in the NAT table in the above post. But I think the first line in that table takes care of everything, meaning I should be able to pull the other 5 out right?

Yes, the five statements seem

Karsten Iwen — Sat, 23 May 2015 22:19:55 GMT

Yes, the five statements seem to be not needed in your scenario.

Is the API-FTP part of the LAN network? Then I wonder why it works as the first line takes precedence oder the object-NAT.

But anyhow, if this is the only system needing NAT and you don't have any more dynamic NAT-statement, then you can remove all NAT exemptions.

Karsten,Yes, the FTP server

Dean Romanelli — Tue, 26 May 2015 20:58:17 GMT

Karsten,

Yes, the FTP server is on an address within the LAN of this network. I have a /29 from the ISP, so I am using 1 address for my WAN port / vlan 2 on the ASA and using another of the publics for a static 1:1 NAT for the inside FTP server address to be seen from the outside publicly.

Have you tested it without

Karsten Iwen — Tue, 26 May 2015 21:13:01 GMT

Have you tested it without the NAT-exemptions? That's the most important question ...

Not yet. I will have to wait

Dean Romanelli — Wed, 27 May 2015 13:32:11 GMT

Not yet. I will have to wait until after hours just in case 😉