topic Re: Does deny statement in NAT0 ACL bypass NAT in Network Security

Does deny statement in NAT0 ACL bypass NAT

bluesteel — Mon, 11 Mar 2019 19:16:52 GMT

Hi,

I have a NAT exemption question with regards to the order of operation. If the NAT0 ACL specifies a traffic flow with a deny statement (i.e do not nat exempt) would this flow be regarded as having completed the NAT obligation imposed by the order of operations (i.e ACL, NAT, Route). In other words if this deny statement in the NATO ACL was related to a VPN would this flow be allowed over the VPN unchanged or would it have to be nat'd before?

Regards

Daniel

Re: Does deny statement in NAT0 ACL bypass NAT

Federico Coto Fajardo — Tue, 30 Nov 2010 22:11:46 GMT

Daniel,

I cannot test it right now.. but I believe that if you have a deny statement in NAT0 ACL, it means it won't be checked against that rule.

It means, it could be checked against any other NAT rule (in order of precedence)....

However, will be a good thing to confirm.

Federico.

Re: Does deny statement in NAT0 ACL bypass NAT

Federico Coto Fajardo — Tue, 30 Nov 2010 22:32:48 GMT

Actually I just did a quick test...

My PC 1.1.1.1 is going through an ASA doing PAT.

I add a line:

access-list nonat deny ip host 1.1.1.1 any

nat (inside) 0 access-list nonat

Since it's a deny statement, my PC is using the PAT address to the Internet (after clearing the xlates/conns).

Federico.

Re: Does deny statement in NAT0 ACL bypass NAT

Kureli Sankar — Wed, 01 Dec 2010 02:38:56 GMT

Awesome Federico.

nat 0 acl - can contain deny lines but, cannot contain ports and protocols

policy nat acl - cannot contain deny lines but, can contain ports and protocols

-KS

Re: Does deny statement in NAT0 ACL bypass NAT

bluesteel — Wed, 01 Dec 2010 09:16:25 GMT

Thanks Federico,

I also worked it out in GNS3 last night , NAT is a nightmare lol

Re: Does deny statement in NAT0 ACL bypass NAT

Federico Coto Fajardo — Wed, 01 Dec 2010 13:55:27 GMT

Daniel,

Wait till you play with NAT in version 8.3 🙂

If you found the answer helpful please consider rating the threat and mark it as answered.

Thank you.

Federico.

Hello, Digging up an old post

colossus1611 — Thu, 24 Sep 2015 06:18:53 GMT

Hello,

Digging up an old post here, but need some assistance with Nat0 Conversion here.

How do you convert the deny statements in Nat0 from pre-8.3 to 8.3+ ?

So if I have

access-list nonat deny ip host 1.1.1.1 any

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

How do I convert that to 8.3+ such that 1.1.1.1 does not get exempted if I have a permit ip any any statement at the end?

Thank you for your help. 🙂

Hi,You don't need to do

Vibhor Amrodia — Thu, 24 Sep 2015 13:31:02 GMT

Hi,

You don't need to do anything for the same. Just check if there is any NAT statement for the 1.1.1.1 IP address and use that NAT above the Manual NAT for the permit IP any any.

Thanks and Regards,

Vibhor Amrodia

Thanks Vibhor. So as long as

colossus1611 — Fri, 25 Sep 2015 07:08:01 GMT

Thanks Vibhor. So as long as I do a any any nonat statement with specific nat rules for those deny statement on PIX, that should cover it.

Hi,Yes , That should cover it

Vibhor Amrodia — Fri, 25 Sep 2015 16:12:12 GMT

Hi,

Yes , That should cover it. You can still verify using the packet tracer on the ASA device.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia