Solved: Quick check of Twice NAT understanding..

aLeffingwell · ‎04-17-2013

Hi All,

I'm working on a project and it's got me wading through miles of manual NAT (twice NAT) statements in an ASA 5510.. I'm looking at these things and going: WHY did this guy use twice NAT with destination?? .. here's a sample:

Manual NAT Policies (Section 1)
1 (Voice) to (outside) source static obj-10.2.100.0 obj-10.2.100.0 destination static obj-10.10.10.0 obj-10.10.10.0
    translate_hits = 864, untranslate_hits = 259907
2 (Inside) to (outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.10.10.0 obj-10.10.10.0
    translate_hits = 24803, untranslate_hits = 1166570
3 (Inside) to (outside) source static obj-10.132.0.0 obj-10.132.0.0 destination static obj-10.10.10.0 obj-10.10.10.0
    translate_hits = 3160, untranslate_hits = 125382
4 (Inside) to (outside) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.1.128.0 obj-10.1.128.0
    translate_hits = 0, untranslate_hits = 0

What I see a really overly complicated identity NAT.. I can respect wanting to use twice NAT rather than inlining everything with object NAT.. but as for the destination end of things?? Could I not clean most of these up with:

(real_interface) to (mapped_interface) source static obj-somesubnet obj-somesubnet

And call it a day?? Also - we only have two subnets in this office.. so if there were no other translations really taking place but some interface PAT in section 2.. could I not clean this entire table up (assuming our two subnets are: 172.16.0.0/16 and 10.2.100.0/24) with:

(real_int) to (mapped_int) source static obj-172.16.0.0 obj-172.16.0.0

(real_int) to (mapped_int) source static obj-10.2.100.0 obj-10.2.100.0

If I understand correctly - there should be no reason to have multiple destination NAT statements that have the same sources if they're just mapping the destination to itself (even if they are different destinations)?? What would be a scenario when you would want to do that?

What are some other reasons why the previous engineer would've felt the need to do this?? Are there other configuration elements that would translate an address outside of what is in NAT??

I know those are a lot of questions, but I'm very much looking forward to feedback on this!

Kindest Regards,

ALAN

Jouni Forss · ‎04-17-2013

Hi,

Well the first thing I see there is that the destination section holds a Private network.

This leads me to believe that there is a L2L VPN and/or VPN Client configured on the ASA.

Since all the NAT configurations have destination interface set to "outside" the NAT applies to traffic heading to Internet (In one form or another)

So if you were to remove the destination network what this would basically do is push all your private network traffic to the Internet without translation and needless to say no connection from those networks to Internet would work anymore.

If you DONT define the destination network, the NAT will apply to ANY destination networks. Therefore the above described situation would happen.

I recently made a NAT 8.3+ document. I am not sure if it would help you at all. I have still to finish it compltely and add more specific sections and explanations (like this situation) but have a look if you want

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Hi,

Well the first thing I see there is that the destination section holds a Private network.

This leads me to believe that there is a L2L VPN and/or VPN Client configured on the ASA.

Since all the NAT configurations have destination interface set to "outside" the NAT applies to traffic heading to Internet (In one form or another)

So if you were to remove the destination network what this would basically do is push all your private network traffic to the Internet without translation and needless to say no connection from those networks to Internet would work anymore.

If you DONT define the destination network, the NAT will apply to ANY destination networks. Therefore the above described situation would happen.

I recently made a NAT 8.3+ document. I am not sure if it would help you at all. I have still to finish it compltely and add more specific sections and explanations (like this situation) but have a look if you want

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

aLeffingwell · ‎04-17-2013

Wow, cool!! You're really helping my understanding.. gotcha

So - if I did what I proposed since these are manual NAT line 1 - yeah no internet - got it.

And I also see what you're saying, maybe there is site to site traffic to those private networks, that we don't want to translate, so he made the destinations like that to say: Hey ASA - I know we're doing interface PAT in section 2 - but if these internal IP's are destined for these other inside IP's out the outside interface, don't touch!

Right?? I am grateful for these forums to get such great feedback so quickly - thanks again.

I will definitely take a look at your document - have to read tons NAT is confusing!

Kindest Regards,

ALAN

Jouni Forss · ‎04-17-2013

Hi,

If you have configured the NAT in ASA software 8.2 (or older) then you could consider this a form of Policy NAT or NAT0 with ACL.

We define the source and destination networks for which this NAT should apply to. We also define wether or not we want to NAT either source or destination or both networks.

To simplify the format

nat (SOURCE,DESTINATION) source static REAL-SOURCE MAPPED-SOURCE destination static DESTINATION-MAPPED DESTINATION-REAL

We define

Source interface for the NAT
Destination interface for the NAT
The type of NAT translation for the NAT (source static or source dynamic) (destination is always static)
The real source address
The mapped source address (if we want to NAT at all)
The mapped destination address (if we want to NAT at all)
The real destination address

Dont hesitate to ask more. I will try to answer if I can.

If this already answered your question then please mark the question as answered. Only thing I personally ask for spending my time here Provided I give a good enough answer ofcourse

- Jouni

aLeffingwell · ‎04-17-2013

Haha, well despite my rather jumbled response, you did answer my question and most importantly gave me the logic behind these statements. This is very cool because now I can see there are a ton of private networks we're connected to that I need to understand more!

If you answer one more question for me I'll mark it correct - how do I clear the counters in the translate_hits and untranslate_hits.. I want to clear them and see which of these remote networks really get hit THESE DAYS over the next month or so.

Thanks in advance!

Sidenote: That document rocks - very comprehensive and straightforward.. keep up the fantastic, very much appreciated.

Kindest Regards,

ALAN

Jouni Forss · ‎04-17-2013

Hi,

This is an example from my own ASA with example NAT configuration

ASA# sh nat

Manual NAT Policies (Section 1)

1 (LAN) to (WAN) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24

translate_hits = 1, untranslate_hits = 1

ASA# clear nat counters

ASA# sh nat

Manual NAT Policies (Section 1)

1 (LAN) to (WAN) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24

translate_hits = 0, untranslate_hits = 0

Though there are more parameters after the "clear nat counters" command

ASA# clear nat counters ?

A.B.C.D Match original IP address

interface Specify an original interface

object Specify an original network/service object

object-group Specify an original network object-group

translated Specify the translated parameters

- Jouni

aLeffingwell · ‎04-17-2013

You're like a NAT-cyclopedia, thanks again sir - I am grading and marking these posts now! -ALAN

Jouni Forss · ‎04-17-2013

No problem, glad to help out

- Jouni