topic Re: NAT Exempt not working in Network Security

NAT Exempt not working

mulhollandm — Mon, 11 Mar 2019 17:01:38 GMT

folks

i have an asa 5540 & i'm trying to allow an outside IP through the asa & into another firewall's dmz on the inside interface

the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c

i have a nat exempt rule allowing 145.a.b.c/32 to talk to 194.a.b.c using inbound traffic but i get a no tranlsation group found

the firewall's external interface is directly connected to 145145.a.b.c and it has a route via its inside interface to 194.a.b.c

i can see the access rule incrementing and i can see a packet capture showing the source address trying to get to the destination address on the outside interface where the traffic arrives

there is nothing from the packet capture showing traffic leaving the external interface

anyone any ideas?

thanks to anyone taking the time to respond or post a reply

gratefully appreciated

Re: NAT Exempt not working

Kureli Sankar — Tue, 26 Jan 2010 13:59:22 GMT

What do the logs show when it breaks? Could you pls. post the output of

sh run nat

with the access-list if nat 0 is tied to an acl?

You can also do packet-tracker. You can use "?" and fill out the command very easily and see where it is getting dropped.

-KS

Re: NAT Exempt not working

rbermel83 — Tue, 26 Jan 2010 15:59:34 GMT

Can you post your commands to configure the NAT exempt?

Re: NAT Exempt not working

Kureli Sankar — Tue, 26 Jan 2010 17:40:21 GMT

Topology:

Internet---ASA5540--FW--dmz(194.a.b.c)

the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c

Is this topology correct? What FW is the one on the inside? another ASA?

On the 5540 you are translating the 194.a.b.c to 145.a.b.c and on the one on the inside you are just doing identity translation or nat exempton?

Which firewall is logging no translation group?

You should do nat exemption or identity static on the inside firewall.

example:

nat (dmz) 0 access-list dmz-server

access-list dmz-server permit ip host 194.a.b.c any

static (dmz,outside) 194.a.b.c 192.a.b.c

-KS

Re: NAT Exempt not working

rbermel83 — Tue, 26 Jan 2010 17:48:50 GMT

What are you trying to accomplish? If you are just trying to allow use of a service like http then using a static nat like

static (dmz,outside) 194.a.b.c 192.a.b.c would be fine with an access list allowing the neccessary service.

access-list outside_access_in permit tcp any host 145.a.b.c 255.255.255.255 eq http

If you are trying to allow already trusted traffic access to a system then using the nat exemption would be neccessary.

Re: NAT Exempt not working

mulhollandm — Tue, 26 Jan 2010 19:55:55 GMT

rbermel83

i'm trying to allow traffic from an external host, 145.a.b.c, to an internal host, 194.a.b.c but i need to allow the traffic from the external host through without any translation

the access rule is allowing traffic from the outside to the inside for tcp DNS

thanks

Re: NAT Exempt not working

mulhollandm — Tue, 26 Jan 2010 20:00:25 GMT

kusankar

many thanks for your reply

your topology is correct but i want to allow 145.a.b.c. through the firewall, from the outside to the inside, without translation

i have no other nat rules from outside to inside

i have an access rule allowing traffic from the outside, 145.a.b.c, to the inside, 194.a.b.c, and i'm seeing hits on it but my syslog shows 'no translation group.......'

thanks for taking the time to look at this

i'm wondering if a nat exemption is the right action since i don't have any other nat in the relevant direction outside to inside - maybe i just use a static nat to nat the source to itself but i only want it to apply to traffic to the destination i've specified

Re: NAT Exempt not working

mulhollandm — Tue, 26 Jan 2010 21:36:51 GMT

kusankar/rbermel83

folks

i've just got this working by inverting the exempt statement

i changed the direction of the config in the gui & it works grand

i'm still a bit confused as it undermines my belief that i understood how to configure nat on an asa!

thanks to both of you for contributing

Re: NAT Exempt not working

Kureli Sankar — Tue, 26 Jan 2010 21:50:46 GMT

I need to clearly understand what nat exemption that you reversed and on which firewall so, I can explain why you needed to do that.

Clearly copy and paste the lines and indicate which firewall you added it to.

-KS

Re: NAT Exempt not working

mulhollandm — Tue, 26 Jan 2010 22:26:46 GMT

kusankar

old config

nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

new config

nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound_1 line 1 extended permit ip host 194.a.b.c host 145.a.b.c

i only needed to re-configure my external ASA as the traffic wasn't even getting to the internal firewall

i'd be keen to hear your views and if you need i can draft up a quick topology diagram

Re: NAT Exempt not working

Kureli Sankar — Tue, 26 Jan 2010 22:59:03 GMT

nat exemption with an acl is bidirectional by default - provided you apply that on the higher security interface.

You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.

Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.

nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

This firewall probably logged no translation group messages.

-KS

Re: NAT Exempt not working

mulhollandm — Tue, 26 Jan 2010 23:15:02 GMT

kusankar

many thanks my friend