topic Re: Identity NAT on ASA running Version 9.0(1) in Network Security

Identity NAT on ASA running Version 9.0(1)

Bouki — Fri, 21 Feb 2020 15:36:57 GMT

Hi guys,

I cannot have access without Identity NAT configured.

Object: LAN

object network LAN
subnet 10.100.52.0 255.255.255.0

NAT:

object network LAN
nat (inside,outside) static 10.100.52.0 no-proxy-arp route-lookup

I want to emphasise that there is not PAT configured and this is the only NAT statement configured on the box , without it I cannot access the Internet.

Why do I need the Identity NAT if there is no other statement shadowing it?

Many thanks

Re: Identity NAT on ASA running Version 9.0(1)

Rahul Govindan — Tue, 10 Apr 2018 17:10:54 GMT

That shouldn't be the case. Can you run a packet-tracer without the nat rule in place and share the ouput? Something like:

packet-tracer input inside tcp <client-ip> 12345 4.2.2.2 80 detailed

Re: Identity NAT on ASA running Version 9.0(1)

Bouki — Thu, 12 Apr 2018 10:16:08 GMT

Hi,

I apprecitae the quick reply.

Hi,

Thanks for the update.

Here is the output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log disable
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN
nat (inside,outside) static 10.100.52.0 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.52.23/25685 to 10.100.52.23/25685

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect ftp
service-policy global_policy global
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 960453070, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Many thanks.

Re: Identity NAT on ASA running Version 9.0(1)

Rahul Govindan — Thu, 12 Apr 2018 15:38:25 GMT

Run one without the NAT in place.

Also, you mentioned that internet does not work without the identity NAT in place, correct? Is there another NAT device sitting ahead of this Firewall?