ASA 8.4 NAT order question

jason.williams — Tue, 12 Mar 2019 01:10:27 GMT

In pre-8.3, NAT had a group number to match nat to global.

How do I do this in 8.4? I need a default pat (0.0.0.0), but I also have specific pat for certain subnets. How do I keep them from overlapping? Will it check more specific nat statements first before it gets to more generic any any or 0.0.0.0?

Thanks.

Jason

Re: ASA 8.4 NAT order question

Jouni Forss — Wed, 06 Mar 2013 15:06:54 GMT

Hi,

Generally you should consider the following things with regarding NAT in 8.3 and newer software

NAT is broken into 3 sections on the ASA
- Section 1 consists of Twice NAT configurations (also called Manual NAT)
- Section 2 consists of NAT configurations configured under "object network"
- Section 3 consists of Twice NAT (also called Manual NAT) configurations that have been moved to the last section with the parameter "after-auto" (configured right after the source and destination interface)
NAT has "line numbers" just like ACLs for Section 1 and Section 3 NAT configurations
- Adding a new Twice NAT rule with a line number (right after source,destination interface) will move the existing rule and any after that 1 line number down. Without line number its added at the bottom (and might not apply)
NAT configured with "object network" doesnt not use "line numbers". Instead their use is based on how specific the rule is and the decision of the ASA what rule to use might be even as specific as the the alphabetic order of the "object network" names is

I suggest reading the following section of the Configuration Guide for your software. (And any related sections). They give some nice addiotional information about the NAT operations

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

Now lets take this example situation

You have alot of networks that fall into the whole 10.0.0.0/8 network
You want to give own NAT rules for some 10.x.x.x/yy subnets

The "catch all" Default PAT rule

object-group network DEFAULT-PAT-SOURCE

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Where

DEFAULT-PAT-SOURCE = Is the "object-group" that defines the networks that are used for this PAT configurations
after-auto = Moves this NAT rule to the last Section 3 (as mentioned in the start of the post, it should be a default rule if nothing else is configured)
interface = Is the parameter that will define that the destination interface of the NAT (outside) is used as PAT address

Now if we want to create a more specific rule in the Section 3 we could do the following

object-group network SPECIAL-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

object network PAT-ADDRESS

host 1.1.1.1

nat (inside,outside) 1 after-auto source dynamic SPECIAL-PAT-SOURCE PAT-ADDRESS

Where

SPECIAL-PAT-SOURCE = Again defines the source addresses/networks for the NAT/PAT
PAT-ADDRESS = Is used to define the new Public IP address since we can use the "interface" parameter (we want another IP address)
"1" = This is the crucial point. It moves the new NAT rule in Section 3 NAT rules to the top. Taking the place of the NAT configuration we configured first. Hence the new rule will be hit first and all remanining 10-networks will hit the default PAT rule that is now on line number "2"
- Notice that the line numbers dont show in the CLI format of the configuration when using "show run nat". They only show on the CLI with "show nat" which doesnt really give a clear output

Example show command output from my ASA

ASA(config)# sh run nat

No NAT rule numbering

nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

nat (WLAN,WAN) after-auto source dynamic WLAN-NETWORK interface

ASA(config)# show nat

Order of NAT configurations mentioned (and also the Section number)

Manual NAT Policies (Section 3)

1 (LAN) to (WAN) source dynamic LAN-NETWORK interface

translate_hits = 0, untranslate_hits = 0

2 (WLAN) to (WAN) source dynamic WLAN-NETWORK interface

translate_hits = 0, untranslate_hits = 0

Hitcounts are 0 because I remotely reloaded the ASA earlier today and there are no hosts turned on behind it.

The above is not the only options naturally but its based on the way I configure NAT.

Section 1 (Manual NAT): Special NAT setups (VPN, possible partner DMZ connections etc)
Section 2 (Object NAT): Static NAT and Port Forward configurations (Static PAT)
Section 3 (Manual NAT): Default NAT/PAT rules for majority of the traffic through the ASA

Hopefully this answered your questions. Please rate or mark the question as answered if so. Naturally ask more if you need some clarifications or need to ask something more

- Jouni

topic Re: ASA 8.4 NAT order question in Network Security

ASA 8.4 NAT order question

Re: ASA 8.4 NAT order question