Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7057
Views
0
Helpful
3
Replies

Twice NAT vs Network Object NAT

Go to solution
Mitchell Theriot
Level 1
Level 1

‎05-20-2013 09:27 AM - edited ‎03-11-2019 06:46 PM

I have a firewall where there is an object in the dmz that needs to be translated to the outside and inside using the same ip address.  I have noticed in the configuration that this is being done as a twice NAT and a network object NAT but I know the Twice NAT will take precedence.  For instance I have found the following configuration entries on the firewall:

object network obj_10.10.10.70

     host 10.10.11.70

object network obj_76.77.200.110

nat (dmz,outside) source static obj_10.10.10.70 obj_76.77.200.110

nat (dmz,inside) source static obj_10.10.10.70 obj_76.77.200.110

object network obj_10.10.10.70

     nat (dmz,any) static 76.77.146.81

Which way is the better practice to accomplish translating the object to the same ip on the outside and the inside?  Should you keep the Twice NAT or the Object NAT?          

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mitchell Theriot

‎05-20-2013 10:04 AM

Hi,

I would use Network Object NAT.

Though again I have to state that nothing is stopping you from using the Twice NAT format. That is what I mostly see Cisco people on these forums suggesting but I personally prefer Network Object NAT

The NAT configuration format using Twice NAT would be

object network WEB-SERVER

host 10.10.10.5

object network MAIL-SERVER

host 10.10.10.10

object service HTTP

service tcp source eq 80

object service SMTP

service tcp source eq 25

nat (dmz,outside) source static WEB-SERVER interface service HTTP HTTP

nat (dmz,outside) source static SMTP-SERVER interface service SMTP SMTP

The above uses the "outside" interface IP address. If you wanted to use a separate IP address you could use

object network WEB-SERVER

host 10.10.10.5

object network MAIL-SERVER

host 10.10.10.10

object service HTTP

service tcp source eq 80

object service SMTP

service tcp source eq 25

object network PUBLIC-IP

host 76.77.200.40

nat (dmz,outside) source static WEB-SERVER PUBLIC-IP service HTTP HTTP

nat (dmz,outside) source static SMTP-SERVER PUBLIC-IP service SMTP SMTP

Lets say you configure the Twice NAT format. Then in the near future you have to configure NAT0 for some L2L VPN connecting a remote site to your head office. If you were to configure the NAT0 configuration using Twice NAT without taking into account the ordering of Twice NAT rules (didnt use the line number) then you would find that SMTP and HTTP traffic to the remote site wouldnt work while other traffic would. In this case when we use Static PAT (Port Forward) we can naturally see that it wouldnt cause as much problem as Static NAT.

My personal split (mentioned in the document) of NAT Type is the following

  • Twice NAT without "after-auto" (First NAT configurations to be matched)
    • NAT0
    • Policy NAT configurations
    • Other special NAT configurations
  • Network Object NAT
    • Static NAT
    • Static PAT
  • Twice NAT with "after-auto" (Last NAT configurations to be matched, only difference is the "after-auto parameter)
    • Default Dynamic PAT and NAT rules for local networks.

Remember to mark any reply as correct answer if it answered your question. And/or rate helpfull posts

Naturally ask more if needed or if you wish me to clarify something.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-20-2013 09:40 AM

Hi,

You should be able to use either of the NAT Rule types to achieve this. What the above is essentially doing is Static NAT.

I personally prefer to do the Static NAT and Static PAT always with Network Object NAT

When I want to override the Static NAT  (Network Object NAT) for example then I use some Twice NAT configuration. Consider for example a NAT0 / NAT Exempt type Twice NAT configuration that tells specifically when the NAT should be applied. In those cases the "destination static" is added to the end of the "nat" command to tell the remote network. So for that "destination" network(s) the Twice NAT would override the Network Object NAT but otherwise the Network Object NAT would apply.

Notice also that the Twice NAT can be overriden by Network Object NAT. Though this can ONLY happen when you use "after-auto" after the "()" in the configuration.

I would personally suggest using Network Object NAT for Static NAT configurations BUT Twice NAT is also an ok solution. In that case you have to manage the NAT ordering though. This is because for example when you have Static NAT and NAT0 configured with Twice NAT then there is a possibility that the Static NAT will override the NAT0 if the ordering is incorrect. I find it more clear when I know that Static NAT/PAT is always as Network Object NAT and NAT0/Policy type NAT configurations are Twice NAT. (Default Dynamic PAT/NAT I typically configure with Twice NAT with the added "after-auto" parameter which moves the rules at the very end of the NAT rules after Network Object NAT)

I wrote a document on the forums about the new NAT format if you want to take a look. It probably clarifies the different NAT Rule types and the ordering done by the ASA than I can do in this post

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

- Jouni

0 Helpful

Go to solution
Mitchell Theriot
Level 1
Level 1
In response to Jouni Forss

‎05-20-2013 09:52 AM

Thanks that does help with mapping to the same ip to multiple interfaces.  What if you you mapped two objects to the same ip based on the service?  Would Twice NAT or network object NAT be used?  For example lets say you have two hosts 10.10.10.5 and 10.10.10.10 in the dmz. You want to map both to the outside IP of 76.77.200.40 but specify which service to use.  For example if it is http use to 10.10.10.5 and if smtp use to 10.10.10.10.  Would the best way be to created the two following object nats or use a twice nat?

object network obj_10.10.10.5

     nat (dmz,outside) static 76.77.200.40 service tcp http http

object network obj_10.10.10.10

     nat (dmz,outside) static 76.77.200.40 service tcp smtp smtp

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mitchell Theriot

‎05-20-2013 10:04 AM

Hi,

I would use Network Object NAT.

Though again I have to state that nothing is stopping you from using the Twice NAT format. That is what I mostly see Cisco people on these forums suggesting but I personally prefer Network Object NAT

The NAT configuration format using Twice NAT would be

object network WEB-SERVER

host 10.10.10.5

object network MAIL-SERVER

host 10.10.10.10

object service HTTP

service tcp source eq 80

object service SMTP

service tcp source eq 25

nat (dmz,outside) source static WEB-SERVER interface service HTTP HTTP

nat (dmz,outside) source static SMTP-SERVER interface service SMTP SMTP

The above uses the "outside" interface IP address. If you wanted to use a separate IP address you could use

object network WEB-SERVER

host 10.10.10.5

object network MAIL-SERVER

host 10.10.10.10

object service HTTP

service tcp source eq 80

object service SMTP

service tcp source eq 25

object network PUBLIC-IP

host 76.77.200.40

nat (dmz,outside) source static WEB-SERVER PUBLIC-IP service HTTP HTTP

nat (dmz,outside) source static SMTP-SERVER PUBLIC-IP service SMTP SMTP

Lets say you configure the Twice NAT format. Then in the near future you have to configure NAT0 for some L2L VPN connecting a remote site to your head office. If you were to configure the NAT0 configuration using Twice NAT without taking into account the ordering of Twice NAT rules (didnt use the line number) then you would find that SMTP and HTTP traffic to the remote site wouldnt work while other traffic would. In this case when we use Static PAT (Port Forward) we can naturally see that it wouldnt cause as much problem as Static NAT.

My personal split (mentioned in the document) of NAT Type is the following

  • Twice NAT without "after-auto" (First NAT configurations to be matched)
    • NAT0
    • Policy NAT configurations
    • Other special NAT configurations
  • Network Object NAT
    • Static NAT
    • Static PAT
  • Twice NAT with "after-auto" (Last NAT configurations to be matched, only difference is the "after-auto parameter)
    • Default Dynamic PAT and NAT rules for local networks.

Remember to mark any reply as correct answer if it answered your question. And/or rate helpfull posts

Naturally ask more if needed or if you wish me to clarify something.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card