topic Will NAT statements conflict? in Network Security

Will NAT statements conflict?

Matt Roberts — Tue, 12 Mar 2019 01:22:32 GMT

I need to NAT the following

inside 172.2.1.1/25 to ouside 10.1.4.1/28

I also have the 172.2.x.x range in another NAT statement that does a dynamic NAT for accessing the internet. Will these conflict?

Re: Will NAT statements conflict?

Jouni Forss — Tue, 02 Apr 2013 14:34:53 GMT

Hi,

Could you clarify a bit.

Are you saying that you want to configure a Static NAT between the mentioned IPs or are you going to configure some sort of Dynamic NAT?

Usually the Static NAT will override the Dynamic NAT but this can vary depending on the firewall software. What is your firewall software? Can you give any NAT configurations here?

What is the purpose of this NAT from inside to outside with both IPs being private? (EDIT: Well actually I guess the inside IP isnt actually a private IP from the 172.16.0.0/12 range) Some VPN related NAT configuration?

- Jouni

Re: Will NAT statements conflict?

Matt Roberts — Tue, 02 Apr 2013 14:50:31 GMT

I need to nat the network 172.2.1.0/25 subnet to 10.1.4.1/28 yes this is for VPN.

I also have the 172.2.1.0/25 subnet in another nat statment for internet access. I guess my question is will there be a conflict if the source address is in two nat statements?

Re: Will NAT statements conflict?

Jouni Forss — Tue, 02 Apr 2013 15:04:18 GMT

Since we are talking about a NAT configuration that is supposed to serve a L2L VPN connection then you should naturally configure a Dynamic Policy NAT+PAT since the real and mapped network arent of equal size. (since the NAT Pool is smaller your hosts using the VPN might run out of NAT addresses)

Dynamic Policy NAT+PAT should also be used because you want this NAT to apply only when users are connecting to a specific network(s) behind a L2L VPN connection. This way it wont overlap/interfere with your default Dynamic PAT/NAT configuration.

For ASA 8.2 (and older) software levels

The ACL defines the situation where this NAT applies
- Think of it as "when this source network connects to this remote network THEN apply this NAT"

access-list DYNAMIC-POLICYNAT remark Define the Traffic that Needs the Policy NAT

access-list DYNAMIC-POLICYNAT permit ip 172.2.1.0 255.255.255.128

global (outside) 100 10.1.4.1-10.1.4.13

global (outside) 100 10.1.4.14

nat (inside) 100 access-list DYNAMIC-POLICYNAT

For ASA 8.3 (and newer) software levels

Operation is the same as above but the configuration format is for the new NAT configuration format introduced in 8.3(1) software

object network REMOTE-LAN

subnet

object network LOCAL-LAN

subnet 172.2.1.0 255.255.255.128

object network NAT-POOL

range 10.1.4.1 10.1.4.13

object network PAT

host 10.1.4.14

object-group network NAT+PAT

network-object object NAT-POOL

network-object object PAT

nat (inside,outside) source dynamic LOCAL-LAN NAT+PAT destination static REMOTE-LAN REMOTE-LAN

Naturally in both cases minor adjustments might be needed depending on the number of hosts/networks on the remote side of the L2L VPN.

Hopefully this helps. Please rate if so and mark the question as answered if it did.

Otherwise ask more if I understood something wrong

- Jouni

Re: Will NAT statements conflict?

Matt Roberts — Tue, 02 Apr 2013 17:06:17 GMT

I think I understand. What would the remote-lan be?

Will NAT statements conflict?

Jouni Forss — Tue, 02 Apr 2013 17:10:45 GMT

Hi,

If you are configuring a specific NAT for a L2L VPN connection then the remote lan would naturally be the remote network of the L2L VPN connection. Naturally depending on your VPN setup there might be multiple remote networks or even just a single host. I can only guess since you have only given information about the source network to be NATed and the actual NAT addresses to be used.

The main point here is that we define the new NAT so that it only applies to the traffic using the VPN connection and wont affect the Internet traffic at all.

- Jouni

Re: Will NAT statements conflict?

Matt Roberts — Tue, 02 Apr 2013 17:22:58 GMT

So I create a group that has my nat-pool and a pat? That I don't understand. Everything else I understand.

Re: Will NAT statements conflict?

Jouni Forss — Tue, 02 Apr 2013 17:30:44 GMT

So are you saying that your firewall is running 8.3+ software?

I gave examples of the same NAT configuration for 2 different NAT configuration formats depending on the software level of your firewall.

If you are using 8.3 or newer software then here is the explanation for the above mentioned NAT configuration

object network REMOTE-LAN

subnet

object network LOCAL-LAN

subnet 172.2.1.0 255.255.255.128

object network NAT-POOL

range 10.1.4.1 10.1.4.13

object network PAT

host 10.1.4.14

object-group network NAT+PAT

network-object object NAT-POOL

network-object object PAT

nat (inside,outside) source dynamic LOCAL-LAN NAT+PAT destination static REMOTE-LAN REMOTE-LAN

REMOTE-LAN = Is used to define the destination network(s) for this NAT configuration
LOCAL-LAN = Is used to define the source network(s) for this NAT configuration
NAT-POOL = Is used to define the NAT Pool address range
PAT = Is used to define the PAT address for situations where the NAT-POOL runs out
NAT+PAT = Is used to group the NAT-POOL and PAT objects under a single object that we can then use in the NAT configuration
nat = Is the actual NAT configuration line that says that the network under LOCAL-LAN will be translated to some IP address under the NAT+PAT when the connection is taken towards REMOTE-LAN

I could give more specific answer if I knew more about your specific situation.

- Jouni

Re: Will NAT statements conflict?

Matt Roberts — Wed, 03 Apr 2013 19:34:33 GMT

I'm running 8.6

My remote lan object would be various hosts and not a subnet. I created a group for this but the nat command is barking at me.

It says subnet can not be used as mapped source in dynamic NAT policy.

Re: Will NAT statements conflict?

Matt Roberts — Wed, 03 Apr 2013 19:40:28 GMT

This is how it would look. The remote LAN is various hosts.

NAT Pool Remote-LAN

10.1.4.112 /28 -------> 10.101.240.5 255.255.255.255

10.1.4.112 /28 -------> 10.105.1.33 255.255.255.255

10.1.4.112 /28 -------> 10.105.1.50 255.255.255.255

10.1.4.112 /28 -------> 10.105.1.53 255.255.255.255

10.1.4.112 /28 -------> 10.241.13.20 255.255.255.255

Re: Will NAT statements conflict?

Jouni Forss — Wed, 03 Apr 2013 19:42:54 GMT

Hi,

If you need to define multiple hosts or networks in the REMOTE-LAN object then you can configure it as a "object-group network REMOTE-LAN"

For example

object-group network REMOTE-LAN

network-object host 10.101.240.5

network-object host 10.105.1.33

network-object host 10.105.1.50

network-object host 10.105.1.53

network-object host 10.241.13.20

object network LOCAL-LAN

subnet 172.2.1.0 255.255.255.128

object network NAT-POOL

range 10.1.4.1 10.1.4.13

object network PAT

host 10.1.4.14

object-group network NAT+PAT

network-object object NAT-POOL

network-object object PAT

nat (inside,outside) source dynamic LOCAL-LAN NAT+PAT destination static REMOTE-LAN REMOTE-LAN

- Jouni

Re: Will NAT statements conflict?

Jouni Forss — Wed, 03 Apr 2013 19:48:11 GMT

Hi,

I inserted completely wrong example IPs in the above reply at first.

Its now edited with the example IPs you gave in an earlier reply.

- Jouni

Re: Will NAT statements conflict?

Matt Roberts — Wed, 03 Apr 2013 19:57:14 GMT

Tried that this is the error I'm getting

ERROR: Subnet can not be used as mapped source in dynamic NAT policy.

Will NAT statements conflict?

Jouni Forss — Wed, 03 Apr 2013 20:01:26 GMT

Hi,

You are most probably trying to configure something different than what I have written above.

I have tested this on my own ASA and there are no problems.

What is the exact NAT configuration and the related objects and object-groups you are trying to insert?

- Jouni