topic NAT-Control feature in ASA 8.4(2) in Network Security

NAT-Control feature in ASA 8.4(2)

rizvis — Mon, 11 Mar 2019 21:17:46 GMT

Hi,

I'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.

One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.

My Second Query

I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:

Traffic from these sub-interfaces should be NATTed to outside interface when going to internet
But, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination

The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.

Could someone please help me in explaining and achieving above?

Many thanks.

Syed

Re: NAT-Control feature in ASA 8.4(2)

varrao — Sat, 27 Aug 2011 15:42:16 GMT

Hi,

There is no need for nat in 8.3 for traffic between different interfaces, so you just need to allow traffic flow from lower secunrity to higher interface through ACL's. Have a look at this:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.

Now coming to the next question:

For the iner-subinterface you need to add this command:

same-security-traffic permit inter-interface

Hope this helps you

Thanks,

Varun

Re: NAT-Control feature in ASA 8.4(2)

rizvis — Mon, 29 Aug 2011 14:31:28 GMT

Hi Varun,

First of all thanks for the prompt response and sorry for my delayed replay. Actually its long weekend in UK.

Also thanks for the explanation and honestly that's what I thought of. But some how my configuration is not giving me the desired result. As traffic from higher security interfaces to lower security interface i.e. Outside interface is working fine. However, traffic between sub-interfaces on same security level is not working even though I opend every things between some of these interfaces.

I'm pasting here extract from the config file, could you please let if this sounds okay to you or if you can spot any mis-configuration?

many thanks.

Syed

Start of config file

ASA Version 8.4(2)

names

name 10.0.0.0 NET-10.0.0.0-RFC1918

name 172.16.0.0 NET-172.16-RFC1918

name 192.168.0.0 NET-192.168-RFC1918

name 10.37.40.0 NET-BMS-DATA

name 10.37.39.0 NET-CCURE-ACCESSDATA-OFFICE

name 10.37.48.0 NET-LIGHTING-SRV

name 10.37.43.0 NET-METERING-DATA

name 10.37.35.0 NET-SHOPALT-VOICE

name 10.37.35.128 NET-VACINITEE-THINCLIENT

name 10.37.34.0 NET-VOICE-IPT

name 10.37.44.0 NET-WIFI-AP-MANAGEMENT

name 172.25.24.0 NET-WIFI-GUESTS

name 10.37.32.0 NET-MANAGE

name 10.37.45.192 NET-IPTV-CLIENTS3

interface GigabitEthernet0/0

description OUTSIDE

nameif OUTSIDE

security-level 0

ip address 195.62.201.195 255.255.255.240

interface GigabitEthernet0/1

description "TRUNKED UPLINK - NO POLICIES"

no nameif

no security-level

no ip address

interface GigabitEthernet0/1.19

vlan 19

nameif IPT-TRANSIT

security-level 100

ip address 10.37.34.249 255.255.255.248

interface GigabitEthernet0/1.29

description SHOPALT-VOICE-TRANS

vlan 29

nameif SHOPALT-VOICE-TRANS

security-level 100

ip address 10.37.35.249 255.255.255.248

interface GigabitEthernet0/1.39

description VACINITEE-FWSM-TRANS

vlan 39

nameif VACINITEE-FWSM-TRANS

security-level 100

ip address 10.37.35.241 255.255.255.248

interface GigabitEthernet0/1.99

description NETWORK MANAGEMENT TRANSIT

vlan 99

nameif NETWORK-MANAGE

security-level 100

ip address 10.37.32.254 255.255.255.0

interface GigabitEthernet0/1.109

description CCTV-FWSM-TRANS-OFFICE

vlan 109

nameif CCTV-FWSM-TRANS-OFFICE

security-level 100

ip address 10.37.38.249 255.255.255.248

interface GigabitEthernet0/1.129

description CCURE-FWSM-TRANS-OFFICE

vlan 129

nameif CCURE-FWSM-TRANS-OFFICE

security-level 100

ip address 10.37.39.249 255.255.255.248

interface GigabitEthernet0/1.139

description LIGHTING-FWSM-TRANS

vlan 139

nameif LIGHTING-FWSM-TRANS

security-level 100

ip address 10.37.48.249 255.255.255.248

interface GigabitEthernet0/1.179

description MANSUITE-FWSM-TRANS

vlan 179

nameif MANSUITE-FWSM-TRANS

security-level 100

ip address 10.37.33.249 255.255.255.248

interface GigabitEthernet0/1.209

description BMS-FWSM-TRANSIT

vlan 209

nameif BMS-FWSM-TRANSIT

security-level 100

ip address 10.37.46.225 255.255.255.248

interface GigabitEthernet0/1.229

description METERING-FWSM-TRANSIT

vlan 229

nameif METERING-FWSM-TRANSIT

security-level 100

ip address 10.37.43.249 255.255.255.248

interface GigabitEthernet0/1.239

description IPTV-FWSM-TRANSIT

vlan 239

nameif IPTV-FWSM-TRANSIT

security-level 100

ip address 10.37.45.249 255.255.255.248

interface GigabitEthernet0/1.249

description LIFTS-FWSM-TRANSIT

vlan 249

nameif LIFTS-FWSM-TRANSIT

security-level 100

ip address 10.37.46.249 255.255.255.248

interface GigabitEthernet0/1.990

description WIFIGUESTS

vlan 990

nameif WIFI-GUESTS

security-level 100

ip address 172.25.24.1 255.255.254.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

description "NOT USED"

shutdown

nameif NOT-IN-USE

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network 40Strand_entire_NW

subnet 10.37.32.0 255.255.224.0

description 40 Strand Entire NW IP range

object network NETWORK_OBJ_10.37.33.80_28

subnet 10.37.33.80 255.255.255.240

object-group network G-RFC1918

network-object NET-10.0.0.0-RFC1918 255.0.0.0

network-object NET-172.16-RFC1918 255.240.0.0

network-object NET-192.168-RFC1918 255.255.0.0

object-group network G-CCTV-OFFICE

network-object 10.37.36.0 255.255.255.128

network-object 10.37.36.128 255.255.255.128

object-group network G-IPTV

network-object 10.37.45.0 255.255.255.192

network-object 10.37.45.128 255.255.255.192

network-object NET-IPTV-CLIENTS3 255.255.255.224

network-object 10.37.45.64 255.255.255.192

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group network G-LIFTS

network-object 10.37.46.0 255.255.255.192

network-object 10.37.46.64 255.255.255.192

object-group network G-MANSUITE

network-object 10.37.33.0 255.255.255.128

network-object 10.37.33.128 255.255.255.192

access-list BMS-FWSM-TRANSIT_access_in extended permit icmp 10.37.40.0 255.255.254.0 object-group G-RFC1918 log debugging

access-list BMS-FWSM-TRANSIT_access_in extended permit ip 10.37.40.0 255.255.254.0 object-group G-RFC1918 log debugging

access-list BMS-FWSM-TRANSIT_access_in extended deny ip 10.37.40.0 255.255.254.0 any log debugging

access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE object-group G-RFC1918 log debugging

access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE any log debugging

access-list CCURE-FWSM-TRANS-OFFICE_access_in extended deny ip 10.37.39.0 255.255.255.128 object-group G-RFC1918 log debugging

access-list CCURE-FWSM-TRANS-OFFICE_access_in extended deny ip 10.37.39.0 255.255.255.128 any log debugging

access-list IPTV-FWSM-TRANSIT_access_in extended deny ip object-group G-IPTV object-group G-RFC1918 log debugging

access-list IPTV-FWSM-TRANSIT_access_in extended deny ip object-group G-IPTV any log debugging

access-list IPT-TRANSIT_access_in extended deny ip 10.37.34.0 255.255.255.128 object-group G-RFC1918 log debugging

access-list IPT-TRANSIT_access_in extended deny ip 10.37.34.0 255.255.255.128 any log debugging

access-list global_mpc remark Scan All traffic

access-list global_mpc extended permit tcp object-group G-RFC1918 any object-group DM_INLINE_TCP_1

access-list VACINITEE-FWSM-TRANS_access_in extended deny ip 10.37.35.128 255.255.255.192 object-group G-RFC1918 log debugging

access-list VACINITEE-FWSM-TRANS_access_in extended deny ip 10.37.35.128 255.255.255.192 any log debugging

access-list SHOPALT-VOICE-TRANS_access_in extended deny ip 10.37.35.0 255.255.255.128 object-group G-RFC1918 log debugging

access-list SHOPALT-VOICE-TRANS_access_in extended deny ip 10.37.35.0 255.255.255.128 any log debugging

access-list LIFTS-FWSM-TRANSIT_access_in extended deny ip object-group G-LIFTS object-group G-RFC1918 log debugging

access-list LIFTS-FWSM-TRANSIT_access_in extended deny ip object-group G-LIFTS any log debugging

access-list LIGHTING-FWSM-TRANS_access_in extended deny ip 10.37.48.0 255.255.255.128 object-group G-RFC1918 log debugging

access-list LIGHTING-FWSM-TRANS_access_in extended deny ip 10.37.48.0 255.255.255.128 any log debugging

access-list WIFI-GUESTS_access_in extended permit icmp any any

access-list WIFI-GUESTS_access_in extended deny ip 172.25.24.0 255.255.254.0 object-group G-RFC1918 log debugging

access-list WIFI-GUESTS_access_in extended deny ip 172.25.24.0 255.255.254.0 any log debugging

access-list MANSUITE-FWSM-TRANS_access_in extended permit icmp any any

access-list MANSUITE-FWSM-TRANS_access_in extended deny ip object-group G-MANSUITE object-group G-RFC1918 log debugging

access-list MANSUITE-FWSM-TRANS_access_in extended deny ip object-group G-MANSUITE any log debugging

access-list NETWORK-MANAGE_access_in extended permit ip any any

access-list METERING-FWSM-TRANSIT_access_in extended deny ip 10.37.43.0 255.255.255.128 object-group G-RFC1918 log debugging

access-list METERING-FWSM-TRANSIT_access_in extended deny ip 10.37.43.0 255.255.255.128 any log debugging

ip local pool MGMNT_VPN_clients 10.37.33.82-10.37.33.93 mask 255.255.255.240

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any IPT-TRANSIT

icmp permit any SHOPALT-VOICE-TRANS

icmp permit any VACINITEE-FWSM-TRANS

icmp permit any NETWORK-MANAGE

icmp permit any CCTV-FWSM-TRANS-OFFICE

icmp permit any CCURE-FWSM-TRANS-OFFICE

icmp permit any LIGHTING-FWSM-TRANS

icmp permit any MANSUITE-FWSM-TRANS

icmp permit any BMS-FWSM-TRANSIT

icmp permit any METERING-FWSM-TRANSIT

icmp permit any IPTV-FWSM-TRANSIT

icmp permit any LIFTS-FWSM-TRANSIT

icmp permit any WIFI-GUESTS

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (IPT-TRANSIT,OUTSIDE) source dynamic any interface

nat (SHOPALT-VOICE-TRANS,OUTSIDE) source dynamic any interface

nat (VACINITEE-FWSM-TRANS,OUTSIDE) source dynamic any interface

nat (CCTV-FWSM-TRANS-OFFICE,OUTSIDE) source dynamic any interface

nat (CCURE-FWSM-TRANS-OFFICE,OUTSIDE) source dynamic any interface

nat (LIGHTING-FWSM-TRANS,OUTSIDE) source dynamic any interface

nat (MANSUITE-FWSM-TRANS,OUTSIDE) source dynamic any interface

nat (BMS-FWSM-TRANSIT,OUTSIDE) source dynamic any interface

nat (METERING-FWSM-TRANSIT,OUTSIDE) source dynamic any interface

nat (LIFTS-FWSM-TRANSIT,OUTSIDE) source dynamic any interface

nat (IPTV-FWSM-TRANSIT,OUTSIDE) source dynamic any interface

nat (WIFI-GUESTS,OUTSIDE) source dynamic any interface

nat (NETWORK-MANAGE,OUTSIDE) source dynamic any interface

nat (NETWORK-MANAGE,OUTSIDE) source static 40Strand_entire_NW 40Strand_entire_NW destination static NETWORK_OBJ_10.37.33.80_28 NETWORK_OBJ_10.37.33.80_28 no-proxy-arp route-lookup

nat (BMS-FWSM-TRANSIT,OUTSIDE) source static any any destination static NETWORK_OBJ_10.37.33.80_28 NETWORK_OBJ_10.37.33.80_28 no-proxy-arp route-lookup

access-group IPT-TRANSIT_access_in in interface IPT-TRANSIT

access-group SHOPALT-VOICE-TRANS_access_in in interface SHOPALT-VOICE-TRANS

access-group VACINITEE-FWSM-TRANS_access_in in interface VACINITEE-FWSM-TRANS

access-group NETWORK-MANAGE_access_in in interface NETWORK-MANAGE

access-group CCTV-FWSM-TRANS-OFFICE_access_in in interface CCTV-FWSM-TRANS-OFFICE

access-group CCURE-FWSM-TRANS-OFFICE_access_in in interface CCURE-FWSM-TRANS-OFFICE

access-group LIGHTING-FWSM-TRANS_access_in in interface LIGHTING-FWSM-TRANS

access-group MANSUITE-FWSM-TRANS_access_in in interface MANSUITE-FWSM-TRANS

access-group BMS-FWSM-TRANSIT_access_in in interface BMS-FWSM-TRANSIT

access-group METERING-FWSM-TRANSIT_access_in in interface METERING-FWSM-TRANSIT

access-group IPTV-FWSM-TRANSIT_access_in in interface IPTV-FWSM-TRANSIT

access-group LIFTS-FWSM-TRANSIT_access_in in interface LIFTS-FWSM-TRANSIT

access-group WIFI-GUESTS_access_in in interface WIFI-GUESTS

route OUTSIDE 0.0.0.0 0.0.0.0 195.62.201.193 1

route MANSUITE-FWSM-TRANS 10.37.33.0 255.255.255.0 10.37.33.254 1

route IPT-TRANSIT NET-VOICE-IPT 255.255.255.0 10.37.34.254 1

route SHOPALT-VOICE-TRANS NET-SHOPALT-VOICE 255.255.255.128 10.37.35.254 1

route VACINITEE-FWSM-TRANS NET-VACINITEE-THINCLIENT 255.255.255.128 10.37.35.246 1

route CCTV-FWSM-TRANS-OFFICE 10.37.36.0 255.255.255.0 10.37.38.254 1

route CCURE-FWSM-TRANS-OFFICE NET-CCURE-ACCESSDATA-OFFICE 255.255.255.0 10.37.39.254 1

route BMS-FWSM-TRANSIT NET-BMS-DATA 255.255.254.0 10.37.46.230 1

route METERING-FWSM-TRANSIT NET-METERING-DATA 255.255.255.0 10.37.43.254 1

route NETWORK-MANAGE NET-WIFI-AP-MANAGEMENT 255.255.255.0 10.37.32.1 1

route IPTV-FWSM-TRANSIT 10.37.45.0 255.255.255.0 10.37.45.254 1

route LIFTS-FWSM-TRANSIT 10.37.46.0 255.255.255.0 10.37.46.254 1

route LIGHTING-FWSM-TRANS NET-LIGHTING-SRV 255.255.255.0 10.37.48.254 1

NAT-Control feature in ASA 8.4(2)

varrao — Mon, 29 Aug 2011 18:07:42 GMT

Hi,

Looking at your configuration I am sure you mighty be having issues with traffic flow, because I see a lot of deny ACL's in your config:

access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE object-group G-RFC1918 log debugging

access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE any log debugging

access-group CCTV-FWSM-TRANS-OFFICE_access_in in interface CCTV-FWSM-TRANS-OFFICE

Similarly many more, can you explain me y you need these?

This wold definitely block your traffic flow.

Thanks,

Varun