topic Two matching auto/object NAT statements which one takes precedence in Network Security

Two matching auto/object NAT statements which one takes precedence

Alan Herriman — Tue, 12 Mar 2019 00:42:35 GMT

Hello all,

I think the title says everything, but I will go into more detail. I want to define an auto NAT as kind of a catch all for the 10.0.0.0 /8 subnet. This would be a PAT to the outside interface and look similiar to this.

object network NAT-INSIDE-10.0.0.0

subnet 10.0.0.0 255.0.0.0

nat (inside,outside) dynamic interface

However, I want a more specific nat for servers in this range, because in realitiy the 10.0.0.0 /8 subnet is broken into several /16 blocks. An example of this would be a server at 10.6.240.1

object network NAT-SRV-10.6.240.1

host 10.6.240.1

nat (inside,outside) static x.x.x.x

Which would take precedence in this situation? Would I get the static NAT I am looking for in this situation or would it get caught by the other auto NAT statement? I would lab this up, but I do not have an ASA to readily do this at the moment. Is there a better way to do this? I'm open to suggestion so please feel free to say what you want.

Thanks in advance!

Re: Two matching auto/object NAT statements which one takes prec

Jouni Forss — Wed, 02 Jan 2013 16:01:10 GMT

Hi,

I would remove the default PAT rule and confiure it again with a "minor" modification

object-group network DEFAULT-PAT-SOURCE

description Default PAT Source Networks

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

With the above configuration the Static NAT configuration (under the object) would always take precedence of the Default PAT rule.

The above object-group is not mandatory really but I like configuring it that way since it gives me the option to add/change several source networks without removing any configurations in the process.

If you would even further like to widen the application of the Default PAT rule you could configure "any" instead of "inside" which enable you to configure source networks to the "object-group" no matter which interface had a route for them.

- Jouni

Two matching auto/object NAT statements which one takes preceden

Jouni Forss — Wed, 02 Jan 2013 16:43:11 GMT

Also,

The way you have configured the PAT it would seem that it will not overrule the Static NAT in that format. I would still suggest using the format that I described above.

I personally use "object NAT" for Static NAT and Port Forward configurations.

Default PAT configurations I handle like in the above post.

And special type situations for example NAT for VPN or Policy NAT (not called that in the new software anymore I guess)

VPN (NAT0/NAT Exempt)

object network LAN

subnet 10.10.10.0 255.255.255.0

object network VPN-POOL

subnet 10.10.20.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Above would basicly handle that LAN and VPN-POOL subnets could communicate without NAT done to their original IP addresses

Policy NAT

In essence the same as the above

object network DESTINATION

host 8.8.8.8

object network HOST-LOCAL

host 10.10.10.10

object network HOST-MAPPED

host 1.2.3.4

nat (inside,outside) source static HOST-LOCAL HOST-MAPPED destination static DESTINATION DESTINATION

The above would create a NAT rule that would give a different public IP address (for example) to a single local host IF it was attempting to connect to the host configured under the DESTINATION object. Other destination hosts networks would still hit the default PAT rule.

- Jouni

Two matching auto/object NAT statements which one takes preceden

Alan Herriman — Wed, 02 Jan 2013 19:27:16 GMT

Hello Jouni,

Thank you for the quick response and I do like your solution for a default PAT and will probably end up doing it that way. Do you happen to know what the processing order is for NAT commands in the same section? Or maybe point me to some documentation that would have the information? I am really curious as to if all static object NAT statements are processes first or if it is just by running-config order.

Best regards!

Re: Two matching auto/object NAT statements which one takes prec

Jouni Forss — Wed, 02 Jan 2013 20:14:23 GMT

Hi,

I suggest reading through the ASA configuration guide for your software.

Heres a quote from 8.4 versions which includes pretty much all the information you need

NAT Rule Order

Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3. Table 29-1 shows the order of rules within each section.

Table 29-1 NAT Rule Table
Table Section	Rule Type	Order of Rules within the Section
Section 1	Twice NAT	Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1. Note If you configure EasyVPN remote, the ASA dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.
Section 2	Network object NAT	Section 2 rules are applied in the following order, as automatically determined by the ASA: 1. Static rules. 2. Dynamic rules. Within each rule type, the following ordering guidelines are used: a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses. b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0. c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.
Section 3	Twice NAT	Section 3 rules are applied on a first match basis, in the order they appear in the configuration. You can specify whether to add a twice NAT rule to section 3 when you add the rule.

The Default PAT I mentioned is moved to Section 3 with "after-auto" to my understanding.

The whole document can be found for example at

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

- Jouni

Re: Two matching auto/object NAT statements which one takes prec

Alan Herriman — Wed, 02 Jan 2013 21:12:54 GMT

Yes, this was exactly what I was looking for. Thank you very much!