cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

129
Views
10
Helpful
4
Replies
Beginner

ASA NAT

Please explain this configuration.  What kind of NAT is it using and how can I learn how to configure it?

 

nat(any,outside) source static OBJECT-GROUP-1 OBJECT-GROUP-1 destination static OBJECT-GROUP-2 OBJECT-GROUP-2 no-proxy-arp route-lookup

nat(any,outside) after-auto source dynamic any interface

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Re: ASA NAT

the asa has 3 main categories of nat - manual nat, object nat (auto nat), and manual nat after auto

these are actually applied in sequential order like an acl

sh nat - will show the order of the rules

sh run nat - to see the actual nat config

this is using static nat - this entry is also known as nat exemption & is often used for vpn traffic

for traffic using any ingress interface & egressing the outside interface - this nat rule will apply

obj-grp 1 has a static mapping to itself only when the dest is obj-grp 2

cisco rec to use no-proxy-arp & route-lookup - so asa int wont send arp for next hop & will use route table for traffic

regards, mk

4 REPLIES
Highlighted
Collaborator

Re: ASA NAT

VIP Advisor

Re: ASA NAT

When going out of the outside interface from OBJECT-GROUP-1 to OBJECT-GROUP-2, you don't do any NAT. For the rest of the traffic going out of interface outside you PAT (or hide-nat/masquerade) the source to the IP of the outside interface.

For learning more, Jounis intro is still a good read:

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

Beginner

Re: ASA NAT

This document you provided a link for was very helpful in providing an overview of the new NAT.  Exactly what I was searching for.

 

This configuration I provided is for a VPN tunnel, so it seems the first statement is identity NAT, which is a variation of Twice NAT / Manual NAT, in Section 1.  It's purpose appears to be to not do NAT for the traffic from the first object group to the second object group or backwards, i.e. "no NAT for either source or destination networks".  

 

The second NAT statement appears to be dynamic PAT, implemented using Twice NAT / Manual NAT, in Section 3, and must serve to NAT traffic that is not contained in the object groups.



Participant

Re: ASA NAT

the asa has 3 main categories of nat - manual nat, object nat (auto nat), and manual nat after auto

these are actually applied in sequential order like an acl

sh nat - will show the order of the rules

sh run nat - to see the actual nat config

this is using static nat - this entry is also known as nat exemption & is often used for vpn traffic

for traffic using any ingress interface & egressing the outside interface - this nat rule will apply

obj-grp 1 has a static mapping to itself only when the dest is obj-grp 2

cisco rec to use no-proxy-arp & route-lookup - so asa int wont send arp for next hop & will use route table for traffic

regards, mk

CreatePlease to create content
Ask the Expert- Introduction to Network Design