topic Need some help with a fundamental concept of nat'ing/routing in Network Security

Need some help with a fundamental concept of nat'ing/routing

paulbatte — Mon, 11 Mar 2019 23:02:14 GMT

I have the following code on an ASA5500 pair with very down-level code. 7.1.2.

Here is a snippet of the ruleset:


interface GigabitEthernet0/1.40
description Production Servers Network
vlan 40
nameif Production
security-level 40
ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2

access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0

nat (Production) 0 access-list no-nat

Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks coming in via the Production interface will NOT be Nat'ed.

My next question is will that traffic be routed through that interface Production using the original IP addresses, or will that traffic NOT be routed anywhere?

I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.

Need some help with a fundamental concept of nat'ing/routing

Dan-Ciprian Cicioiu — Fri, 04 May 2012 16:19:09 GMT

Hi Paul,

As you already said the traffic matched by the access-list will not be NATed, so this means that it will pass without any IP source change.

Depending on your routing table but also your access-list on, that traffic will be routed and permited.

If you have a an access-list applied on the Production interface that allows host from 182.168.3.0/24 to access 192.168.20.0/24 and 172.20.0.0/16 to access 192.168.20.0/24 , then the destination of the packet will be check in the routing table.

So this access-list will only allow traffic to pass without doing source nat to it.

Dan

Need some help with a fundamental concept of nat'ing/routing

PAUL GILBERT ARIAS — Fri, 04 May 2012 16:20:25 GMT

You are right on your first question.

The traffic will flow with the real IP coming from the source networks located behind the interface called Production to the destination network 192.168.20.0/24. Routing will always need to be done in order to be able to get to the destination. And the destination network needs to know how to get to the source addresses.

Is this clear?

Need some help with a fundamental concept of nat'ing/routing

paulbatte — Fri, 04 May 2012 18:08:20 GMT

Thanks for responses, but they confuse me more.

It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.

From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced from the 192.168.3.0 network to reach the 192.168.20.0 network.

However, this is not what is currently happening in the networks, as far as I have been told.

Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.

1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.

2. More complete code:

object-group network network_vpn

description VPN IP's

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0

access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0

access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (Production) 0 access-list no-nat

nat (Production) 0 access-list Production_nat0_inbound outside

nat (Production) 1 172.20.0.0 255.255.0.0

Use the 3rd last line in the access-list no-nat commands as an example.

As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?

3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks.

Need some help with a fundamental concept of nat'ing/routing

Dan-Ciprian Cicioiu — Fri, 04 May 2012 19:58:08 GMT

Paul ,

1) please post : show run access-group

2) Let's take "nat (Production) 0 access-list no-nat"

this nat command will :

- match the source and destination on the access-list

- match the packets source from Production with the source that apears in the acl

In my optinion I do not think that your acl-lines will be match by this nat exemption , because 192.168.3.0 or 192.168.2.0 are not behaind the Production interface - please correct me if I'm wrong.If this is the case then I belive that the only line that makes sens in the acl is ip 172.20.0.0 255.255.0.0 192.168.0.0.

This has nothing to do with the acl applied on the interface, for filtering purpose.

Dan

Need some help with a fundamental concept of nat'ing/routing

paulbatte — Fri, 04 May 2012 20:28:07 GMT

Hi Dan:

I have requested the output of that command.

In the meantime, I guess a very fundamental question I still have is this:

In general terms, if a packet encounters a "nat 0" access list on an interface, and it meets the conditions you described in point #2 above, I know it won't NAT, but will it route using the permit rules in the access list?

Paul

Need some help with a fundamental concept of nat'ing/routing

Dan-Ciprian Cicioiu — Fri, 04 May 2012 20:34:42 GMT

Paul ,

Without any doubt the permision will be checked against the access-list applied ( in or out direction depending on the direction and interface applied )

If for example you have an acl applied on the in direction of the Production denying all the traffic that you exempt from nat, it will for sure be droped and the nat exemption will not matter.

Dan

Need some help with a fundamental concept of nat'ing/routing

paulbatte — Mon, 07 May 2012 14:29:49 GMT

Hi Dan:

This is the result of the show show run access-group command.

FW02# show run access-group

access-group Primary_Public_access_in_tmp in interface Primary_Public

access-group FW_LANx_in in interface LANx

access-group FW_VPN_Touchdown_in in interface FW_VPN_Touchdown

I know for certain that the FW_VPN_Touchdown is no longer in use.

Is the purpose of this command to show only the access lists that are tied to an interface?

If so, I am even more confused, as the access list no-nat then does not appear to be used.