cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1702
Views
0
Helpful
9
Replies
Beginner

5512x 8.6.1 NAT and route-lookup behaviour

Hi guys.

I was wondering if anyone has any experience with the new 5512x firewalls and NAT egress interfaces.

In the past I know it was possible using destination NAT to push traffic out of a specific interface; the example being where you have 2 ISP connections.

However, following many different examples and logic I cannot get this to work on this version.

Using packet tracer the Firewall is consistently performing route-lookup first in spite of a matching NAT statement with destination interface chosen.

Does anyone have any ideas?

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Sorry, direction needs to be opposite. For

nat (Office,VDSL3) source static SERVER1 interface

If right now you try to access from vdsl3 from any ip to interface of vdsl3 you will see UN-NAT to SERVER1 which will determine egress interface as office.

If you want to see that with your rule change it to:

nat (VDSL3,Office)  source static any any destination static interface SERVER1

Then your packet-tracer command will do UN-NAT for traffic going from SERVER1 (unnat to interface address with egress interface vdsl3)

---

Michal

View solution in original post

9 REPLIES 9
Cisco Employee

5512x 8.6.1 NAT and route-lookup behaviour

Hi Mike,

Normally egress interface is determined by NAT rule.

Route-lookup is performed when it is not possible (not specified interface in nat command).

For identity NAT that behavior has changed in 8.4.2.

Before it was always using route-lookup, starting from 8.4.2 it's not - you need to add "route-lookup" to get that functionality. "Route-lookup" will be available for identity nat only when you specify both ingress and egress interfaces.

There were no big changes regarding NAT when moving from 8.4.2 to 8.6.

---

Michal

Beginner

5512x 8.6.1 NAT and route-lookup behaviour

Thanks Michal.

I've read the notes for 8.4.2+ and it all sounds correct.

I can see that it is definitely performing route-lookup first though whatever I do. And is clearly ignoring the NAT statements.

Have you configured this yourself?

Mike

Cisco Employee

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Mike, it depends on your rules, can you show me:

1. your nat rules

2. packet-tracer results

I have configured rules (especially when using 2 ISP) when the first step was UN-NAT.

Example from my lab (version 8.4.2) - i expect same results on 8.6.

10.0.3.2 - R3_REAL on inside

10.0.3.100 - ASA-TO-R3-NATTED (address used as destination for packet tracer)

10.0.1.2 - R1_REAL on outside

ASA# packet-tracer input inside icmp 10.0.3.2 8 0 10.0.3.100 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (outside,inside) source static R1_REAL ASA-TO-R3-NATTED destination static R3_REAL R3_REAL

Additional Information:

NAT divert to egress interface outside

Untranslate 10.0.3.100/0 to 10.0.1.2/0

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd996e7b0, priority=0, domain=inspect-ip-options, deny=true

        hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd996e388, priority=66, domain=inspect-icmp-error, deny=false

        hits=3, user_data=0xd996d9a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source dynamic any ASA-TO-R1-NATTED destination static R1_REAL R1_REAL

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd99909c0, priority=6, domain=nat, deny=false

        hits=3, user_data=0xd998fe90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=10.0.1.2, mask=255.255.255.255, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (outside,inside) source static R1_REAL ASA-TO-R3-NATTED destination static R3_REAL R3_REAL

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd9994190, priority=6, domain=nat-reverse, deny=false

        hits=3, user_data=0xd9993760, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.0.3.2, mask=255.255.255.255, port=0

        dst ip/id=10.0.1.2, mask=255.255.255.255, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

---

Michal

Beginner

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Thanks again for the reply

i've stripped it down completely and now only have 3 NAT rules

i've tried manual nat for server1 to force out of adsl3 and object nat on server2 to force out of adsl5

the packet tracer below was using SERVER1 ; 10.103.1.16 for reference connecting to 8.8.8.8 on http

it always drops to adsl4 nat rule after performing a route-lookup

---------------------NAT------------------------

nat (Office,VDSL3) source static SERVER1 interface

!

object network SERVER2

nat (Office,VDSL5) static interface no-proxy-arp

!

nat (Office,VDSL4) after-auto source dynamic Office_net interface

----------------------TRACE------------------

packet-tracer input office tcp 10.103.1.16 33111 8.8.8.8$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         128.0.0.0       VDSL4

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Office_access_in in interface Office

access-list Office_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_2 any log warnings

access-list Office_access_in

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_2

network-object object SERVERS

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffa3af88b0, priority=13, domain=permit, deny=false

        hits=138, user_data=0x7fff9ecc7840, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=10.103.1.16, mask=255.255.255.252, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

        input_ifc=Office, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffa2c473f0, priority=0, domain=inspect-ip-options, deny=true

        hits=484019, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=Office, output_ifc=any

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map global-class

match default-inspection-traffic

policy-map global-policy

class global-class

  inspect http

service-policy global-policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffa3afcc80, priority=70, domain=inspect-http, deny=false

        hits=39746, user_data=0x7fffa365b4c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

        input_ifc=Office, output_ifc=any

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Office,VDSL4) after-auto source dynamic Office_net interface

Additional Information:

Dynamic translate 10.103.1.16/33111 to 192.168.4.1/61816

Forward Flow based lookup yields rule:

in  id=0x7fffa41076f0, priority=6, domain=nat, deny=false

        hits=28600, user_data=0x7fffa4a905e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.103.1.0, mask=255.255.255.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=Office, output_ifc=VDSL4

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x7fffa2b5bb50, priority=0, domain=inspect-ip-options, deny=true

        hits=135327, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=VDSL4, output_ifc=any

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 628321, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Office

input-status: up

input-line-status: up

output-interface: VDSL4

output-status: up

output-line-status: up

Action: allow

Mentor

5512x 8.6.1 NAT and route-lookup behaviour

Hi,

So I did a very simple test on my home ASA 5505 running 9.1(1) (Base License)

Heres my basic configuration

Some notes

  • WAN-SEC IP address is just a placeholder
  • There is a "no forward" configuration on the interface as I only have Base License on my home ASA
    • This doesnt however prevent traffic initiated from LAN -> WAN-SEC
  • x.x.x.x = My actual WAN public IP address
  • y.y.y.y = My actual WAN public IP gateway

INTERFACES

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.255.0

!

interface Vlan10

description WAN

nameif WAN

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan20

no forward interface Vlan1

nameif WAN-SEC

security-level 50

ip address 10.10.234.1 255.255.255.0

ROUTES

route WAN 0.0.0.0 0.0.0.0 y.y.y.y 1

route WAN-SEC 0.0.0.0 0.0.0.0 10.10.234.2 2

NAT OBJECTS

object service WWW

service tcp destination eq www

object service SMTP

service tcp destination eq smtp

NAT CONFIGURATIONS

nat (LAN,WAN) source dynamic any interface service WWW WWW

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

!

!

nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

PACKET-TRACER OUTPUT

WWW-TRAFFIC

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source dynamic any interface service WWW WWW

Additional Information:

NAT divert to egress interface WAN

Untranslate 1.2.3.4/80 to 1.2.3.4/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source dynamic any interface service WWW WWW

Additional Information:

Dynamic translate 10.0.0.100/1025 to x.x.x.x/1025

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source dynamic any interface service WWW WWW

Additional Information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 112793, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

SMTP TRAFFIC

ASA# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 25

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

Additional Information:

NAT divert to egress interface WAN-SEC

Untranslate 1.2.3.4/25 to 1.2.3.4/25

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

Additional Information:

Dynamic translate 10.0.0.100/1025 to 10.10.234.1/1025

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

Additional Information:

Phase: 8

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 112797, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-SEC

output-status: up

output-line-status: up

Action: allow

This  was the only setup I could get the "packet-tracer" output seem what its  "supposed" to show when the traffic would leave to different WAN  interface.

Hopefully you can get something out of this.  I wont be able to proper lab this unless I use equipment and WAN  connections at my work. But that wont happen until maybe after a week or  so.

Let me know if you have already tried this and it  doesnt work. And also if you havent yet tried it let me know did it help  at all.

- Jouni

Cisco Employee

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Mike, add destination or service to this rule:

nat (Office,VDSL3) source static SERVER1 interface

---

Michal

Beginner

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Hi Michal.

The destination needs to be any as I want to statically source 1 server out of a particular ISP.

The service I could set but will this make a difference? Should any service not work for all services?

Mike

Cisco Employee

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Sorry, direction needs to be opposite. For

nat (Office,VDSL3) source static SERVER1 interface

If right now you try to access from vdsl3 from any ip to interface of vdsl3 you will see UN-NAT to SERVER1 which will determine egress interface as office.

If you want to see that with your rule change it to:

nat (VDSL3,Office)  source static any any destination static interface SERVER1

Then your packet-tracer command will do UN-NAT for traffic going from SERVER1 (unnat to interface address with egress interface vdsl3)

---

Michal

View solution in original post

Highlighted
Beginner

Re: 5512x 8.6.1 NAT and route-lookup behaviour

Perfect that did it!

Though i'm not 100% sure why.

I had thought that the original and reverse direction of the nat(office,vdsl3) should in bidirectional mode account for both incoming and outgoing, but clearly not.

Anyway with nat(vdsl3,office) the NAT works in both directions. The port is diverted inbound and outbound the egress interface is altered as expected.

Thanks for your time testing this. Much appreciated!

Mike