Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
3
Replies

Nonat gets removed when we enable access on tcp level in asa 8.0.5

Go to solution
Pranav Gade
Level 1
Level 1

‎06-13-2013 08:14 AM - edited ‎03-11-2019 06:57 PM

Hi ,

We are using Cisco ASA 5550 with verison 8.0.5.

We having below setup in our network

Site 1                     Site 2               

|                                |

Fw -------> Metro ------> Int Fw ----Internet

Setup -

- Each site havin Cisco ASA 5550 with version 8.0.5 wherin nat-control is enable on both FW.

- If we want to access internet from Site 1 we need to put inside acl and put nonat for that.

- Then it will come to site 2 firewall and after putting acl and pat it goes to internet from site 2

Questions-

1) I would like to know about how  NO NAT statement works on ASA.

for instance i have

nat (INSIDE) 0 access-list NO-NAT

In NO-NATaccess list I only need to mention it on  IP level .Because when i entered the access list with tcp satements it removed the nat 0 statement from the interface and gave error as nat(INSIDE) 0 removed.

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

nat (INSIDE) 0 access-list NO-NAT

Is  the behaviour of ASA normal ?

why Nonat gets removed when  we enable access on tcp level ? If this is normal behaviour what is purpose behind it ?

Do we have any alternative andy solution on the same?

2) Are we need to have nat-contol enable on asa where internet getway is not configured...?

Is there any impact if we disable the nat-control where internet gateway is not configured  for e,g in site 1 as per our setup.

That would be really great if any one can explain this and give us solution on the same.


Regards

Pranav

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-13-2013 08:53 AM

Hi,

Cisco documentation and the warning message states that NAT0 access-list configuration can only contain "permit ip" statements between hosts/networks.

The reason why the NAT0 configuration gets removed is because you add an ACL statement which makes the ACL incompatible with the NAT0 configuration.

The only NAT configuration where using "permit tcp" or "permit udp" is accepted is Policy NAT/PAT configurations.

I would highly suggest NOT using NAT for controlling access through the firewall. If you ever happen to upgrade to software level 8.3 or newer then the "nat-control" will be no more and you cant even do this anymore.

I would suggest using interface based ACLs to control what traffic/connections are allowed through the ASA firewall.

If you remove "nat-control" there shouldnt be no problems. The problematic situation might more likely be if you wanted to ADD "nat-control" to an existing environment. Removing the "nat-control" should mean that Site1 ASA would no more require a NAT configuration for certain traffic to pass. Naturally other things could still affect if the connection goes through or not.

The default setting on the ASA should be that "nat-control" is DISABLED

Here is what Cisco documentation says

 Default Settings 


 By default, NAT control is disabled; therefore, you do not need to  perform NAT on any networks unless you want to do so. If you upgraded  from an earlier version of software, however, NAT control might be  enabled on your system. Even with NAT control disabled, you need to  perform NAT on any addresses for which you configure dynamic NAT. See  the Chapter 29 "Configuring Dynamic NAT and PAT," for more information about how dynamic NAT is applied.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1043201

If your Site1 ASA doesnt have any local Internet connection and has no need to NAT IP address locally you might even be able to remove "nat-control" and remove all NAT configurations from the ASA if you wanted. Alternatively you could simply configure NAT0 for each local network of Site1 towards any other network since Site2 should be the only device doing NAT towards Internet.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-13-2013 08:53 AM

Hi,

Cisco documentation and the warning message states that NAT0 access-list configuration can only contain "permit ip" statements between hosts/networks.

The reason why the NAT0 configuration gets removed is because you add an ACL statement which makes the ACL incompatible with the NAT0 configuration.

The only NAT configuration where using "permit tcp" or "permit udp" is accepted is Policy NAT/PAT configurations.

I would highly suggest NOT using NAT for controlling access through the firewall. If you ever happen to upgrade to software level 8.3 or newer then the "nat-control" will be no more and you cant even do this anymore.

I would suggest using interface based ACLs to control what traffic/connections are allowed through the ASA firewall.

If you remove "nat-control" there shouldnt be no problems. The problematic situation might more likely be if you wanted to ADD "nat-control" to an existing environment. Removing the "nat-control" should mean that Site1 ASA would no more require a NAT configuration for certain traffic to pass. Naturally other things could still affect if the connection goes through or not.

The default setting on the ASA should be that "nat-control" is DISABLED

Here is what Cisco documentation says

 Default Settings 


 By default, NAT control is disabled; therefore, you do not need to  perform NAT on any networks unless you want to do so. If you upgraded  from an earlier version of software, however, NAT control might be  enabled on your system. Even with NAT control disabled, you need to  perform NAT on any addresses for which you configure dynamic NAT. See  the Chapter 29 "Configuring Dynamic NAT and PAT," for more information about how dynamic NAT is applied.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1043201

If your Site1 ASA doesnt have any local Internet connection and has no need to NAT IP address locally you might even be able to remove "nat-control" and remove all NAT configurations from the ASA if you wanted. Alternatively you could simply configure NAT0 for each local network of Site1 towards any other network since Site2 should be the only device doing NAT towards Internet.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

0 Helpful

Go to solution
Pranav Gade
Level 1
Level 1
In response to Jouni Forss

‎06-13-2013 09:34 AM

Hi Jouni,

Really thanks for your reply ...

Can you please share me any cisco document realated that NAT0 access-list configuration can only contain

"permit ip"  and if by chance we enable the nat 0 on tcp level nat 0 statment gets removed .

Is this sam function applicable for all prev ios 8.3 in cisco asa

Can you please also tell me advantage and disaadvantage of Nat - control so it will helpful me to get deep dive on it.

Slightly one addition on setup of  Our Office .. --

                  site 3

                    |

Site 1            mpls       Site 2              

|                       |       

Fw -------> Metro ------> Int Fw ----Internet

Sites's gets connected to other sites with MPLS  wherein I think just becoz of nat-control enable on site 1 asa we need to do MPLS Nat on site 1 firewall for internal sites communication. ( Note - we only having one internet gateway which is in site 2) 

If we disable the Nat-Control on site 1 then what things we need to take in consideration.. ? If we enable access in acl and as there is alredy mpls nat enable in current config in site 1 then is there any thing we need to add for MPLS connection 

Regards

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Pranav Gade

‎06-13-2013 10:35 AM

Hi,

A Cisco document mentions the following for example

 To configure NAT exemption, enter the following command: 
hostname(config)# nat (real_interface) 0 access-list acl_name [outside]
 




 Create the extended access list using the access-list extended command (see the "Adding an Extended Access List" section). This access list can include both permit ACEs and deny ACEs. Do not specify the real and destination ports in the access list;  NAT exemption does not consider the ports. NAT exemption considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541

Its the ASA Configuration Guide for software level 8.0

The "nat-control" doesnt exist in the 8.3 and later softwares anymore, so you cant configure that there.

I personally dont use the "nat-control" as I dont want the NAT configuration to define what traffic is allowed and what is not. I simply configure those in the interface ACLs.

to my understanding if you remove "nat-control" on Site1 then nothing should really change drasticly. I mean you currently have a setting that REQUIRES NAT for traffic to pass the firewall. And the configuration you would be changing is to remove this limitation. So some traffic might be able to pass the firewall that was not allowed to pass before. Then again the traffic that is going through now according to the NAT configurations should continue to do so.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card