topic Nat 0 vs static NAT in Network Security

Nat 0 vs static NAT

victor_87 — Mon, 11 Mar 2019 14:44:32 GMT

We have a cisco 5510 connected to a LAN segment with a cisco 6500 and multiple vlan's. and using Class B address range.

We have a NAT device (Non-cisco product ) on top of the Cisco ASA-5510 handling all the static and Dynamic NAT.

We have lots of internet users and about 50-60 servers all in the Lan segment.

since the ASA is not doing the NAT i can use

nat (inside) 0 172.16.0.0 255.255.0.0

to exempt all traffic from NAT right??

but when i do this i am having issues accessing a few servers from the outside that have been Static NAT on my NAT device. ( this is the problem only with few servers, all others are fine and normal internet users also have no issues to the best of my knowledge).

I have found a remedy by using something like

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

Everything is working perfect with this instead of the "NAT 0"

What could be causing the access issue with NAT 0.

Re: Nat 0 vs static NAT

celiocarreto — Mon, 02 Feb 2009 18:26:11 GMT

Hi,

the reason is that nat0() will only work from inside to outside. When an inside-server opens a connection to outside, the asa "knows" the server and have an entry in the NAT table.

If the server do not access the outside world, the asa do not "know" the server.

Your static NAT make a permanent entry into the NAT table.

I had this Problem with a client, that wanted to use public IPs inside the ASA. Only when the server has opened a connection an inbound connection was successful. With the "fake" NAT everything is fine.

Regards, Celio

Re: Nat 0 vs static NAT

victor_87 — Tue, 03 Feb 2009 01:59:59 GMT

Probably u didn't get me, traffic i mentioned is moving from inside to Outside itself.

Re: Nat 0 vs static NAT

victor_87 — Tue, 03 Feb 2009 16:51:29 GMT

Ok thanku i got my solution

nat (inside) 0 172.16.0.0 255.255.0.0

this is IDENTITY NAT (allowed only from inside to outside,) connections cannot be initiated from outside to inside

nat (inside) 0 access-list test

access-list test ext permit ip 172.16.0.0 255.255.0.0 any

This is NAT EXEMPTION

This allows connections to be initiated from outside to inside.

I think everyone must understand the difference between the two, they appear so similar.

Re: Nat 0 vs static NAT

game123 — Thu, 16 Feb 2012 08:18:21 GMT

Static command serves bi directional in logic while all other nat commands are uni directional !

Kamran

Sent from Cisco Technical Support iPad App

Re: Nat 0 vs static NAT

Patrick0711 — Thu, 16 Feb 2012 14:46:25 GMT

Unfortunately it's not that simple. While the configurations are similar in the sense that they can both perform NAT exemption, identity NAT (via a static) enters a permanent entry in the xlate table whereas the NAT 0 does not create an entry in the xlate table but DOES add entries to the NAT table from the interface listed in the nat 0 command to all equal or lower security level interfaces.

Your assumptions are incorrect...at least partially. The Cisco documentation ( the Cisco ASA and PIX Firewall Handbook) states that with a nat 0 configuration, traffic must be initiated from the higher security level interface before traffic will be allowed in from the lower security level interface. It goes in to state that identity NAT via a static is bidirectional and traffic can be initiated from either interface. This is true for SOME code versions but not all. In 8.2(2), both nat 0 and identity nat are bidirectional and function identically.

Now, one key difference between these two (which sounds related to you scenario) is the order in which they are processed. nat 0 is processed before all static nat entries. Static nat is processed in the order in which the entries are added.