topic static nat identity and static map in Network Security

static nat identity and static map

danilodicesare — Mon, 11 Mar 2019 16:43:45 GMT

Hi all,

i've got a doubt....

i have to do nat identity for a /25 but 2 addresses of that /25 must be mapped:

static (inside,outside) udp 1.1.1.1 53 2.2.2.1 53 netmask 255.255.255.255

static (inside,outside) udp 1.1.1.2 53 2.2.2.2 53 netmask 255.255.255.255

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

i think will work even if i've got a WARNING message like

mapped-address conflict

if i perform a show xlate i can see before first 2 entries and then third one.

do you think i'll have any issue? may you know better or more elegant way to do this?

tnx

Dani

Re: static nat identity and static map

jan.nielsen — Sun, 29 Nov 2009 20:21:28 GMT

Should be ok, since the first two statics are more specific than the broad network static. If it doesn't work, you could try a policy static nat instead for the two ips.

access-list hosta permit ip host 2.2.2.1 any

access-list hostb permit ip host 2.2.2.2 any

static (inside,outside) 1.1.1.1 access-list hosta

static (inside,outside) 1.1.1.2 access-list hostb

Re: static nat identity and static map

danilodicesare — Sun, 29 Nov 2009 20:39:35 GMT

tnx Jan,

maybe i was wrong before 'cause i wanna mean:

static (inside,outside) udp 2.2.2.1 53 1.1.1.1 53 netmask 255.255.255.255

static (inside,outside) udp 2.2.2.2 53 1.1.1.2 53 netmask 255.255.255.255

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

of course your answer is the same ::)

access-list hosta permit ip host 1.1.1.1 any

access-list hostb permit ip host 1.1.1.2 any

static (inside,outside) 2.2.2.1 access-list hosta

static (inside,outside) 2.2.2.2 access-list hostb

but other question is....how can add those entries later.

so i've already got a command like

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

and i have to add more specific...do i need to do 'no static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0', add more specific entry and then add again less specific entry?

maybe there is a tricky NAT entry that i can add without removing temporarly other one.

tnx a lot

Dani

Re: static nat identity and static map

Kureli Sankar — Sun, 29 Nov 2009 23:45:29 GMT

Dani,

How about nat exemption with an acl and deny these two hosts from that acl and add statics for these two hosts.

Here is the nat order of operations.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042696

-KS

Re: static nat identity and static map

danilodicesare — Mon, 30 Nov 2009 07:33:43 GMT

hi,

must be the right way....

so if i need inside to outside untranslated and outside to inside untranslated + some static mapping il'll do:

PIX1# show running-config nat
nat (inside) 0 access-list nat_exemption --> i wanna inside host to communicate untranslated to external host
nat (outside) 0 access-list nat_exemption --> i wanna outside world to communicate untranslated to internal host

PIX1# show running-config static
static (inside,outside) 7.7.7.7 2.2.2.1 netmask 255.255.255.255 --> i wanna map real ip 2.2.2.1 with 7.7.7.7
static (inside,outside) 7.7.7.8 2.2.2.4 netmask 255.255.255.255 --> i wanna map real ip 2.2.2.4 with 7.7.7.8

PIX1# show running-config access-list
access-list all extended permit ip any any
access-list nat_exemption extended deny ip host 2.2.2.4 any
access-list nat_exemption extended deny ip host 2.2.2.1 any
access-list nat_exemption extended permit ip 2.2.2.0 255.255.255.128 any

i think is the right solution right?

tnx

Dani

Re: static nat identity and static map

Kureli Sankar — Mon, 30 Nov 2009 14:26:08 GMT

Dani,

We don't translate the source from low to high so, there is no need for nat (outside) 0 access-list nat_exemption. Also, nat 0 with an acl applied on the inside will allow traffic to be initiated from the outside. It is bi-directional.

Yes, this is the best way. The acl looks correct.

Good luck.

-KS